WO2020049754A1 - Information processing method, information processing program, information processing apparatus, and information processing system - Google Patents

Information processing method, information processing program, information processing apparatus, and information processing system Download PDF

Info

Publication number
WO2020049754A1
WO2020049754A1 PCT/JP2019/005681 JP2019005681W WO2020049754A1 WO 2020049754 A1 WO2020049754 A1 WO 2020049754A1 JP 2019005681 W JP2019005681 W JP 2019005681W WO 2020049754 A1 WO2020049754 A1 WO 2020049754A1
Authority
WO
WIPO (PCT)
Prior art keywords
information processing
public key
hash value
processing method
generating
Prior art date
Application number
PCT/JP2019/005681
Other languages
French (fr)
Japanese (ja)
Inventor
久利寿 帝都
Original Assignee
コネクトフリー株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by コネクトフリー株式会社 filed Critical コネクトフリー株式会社
Priority to JP2020540994A priority Critical patent/JP7054559B2/en
Priority to US17/273,611 priority patent/US11902454B2/en
Priority to EP19857922.9A priority patent/EP3849131A4/en
Priority to TW108132097A priority patent/TWI802749B/en
Priority to TW112114414A priority patent/TW202347986A/en
Publication of WO2020049754A1 publication Critical patent/WO2020049754A1/en
Priority to JP2021189977A priority patent/JP2022031777A/en
Priority to US18/393,835 priority patent/US20240129137A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the present disclosure relates to an information processing method, an information processing program, an information processing device, and an information processing system.
  • an Internet service provider manages the IP address of each device connected to the Internet. For example, when a predetermined device is connected to the Internet, the ISP assigns an IP address to the predetermined device. Thereafter, the predetermined device can access a web server on the Internet using the IP address assigned by the ISP.
  • the device is connected to a communication network such as the Internet, intervention of a business operator that manages an IP address such as an ISP is required, and a user experience or a user's convenience in connecting to the communication network is required. There is room for improvement in terms of improvement.
  • the present disclosure aims to provide an information processing method, an information processing program, an information processing apparatus, and an information processing system capable of improving a user experience or a user's convenience for connection to a communication network.
  • An information processing method is executed by a processor of an apparatus, Generating a public key of the device based on a secret key of the device; Generating a hash value based on the public key and a predetermined hash function; Determining a network address of the device based on the hash value; including.
  • the information processing method may further include a step of generating the secret key.
  • the information processing method may further include a step of transmitting the public key to an external device existing outside the device.
  • the information processing method may further include a step of determining whether the hash value satisfies a predetermined condition. When the hash value satisfies the predetermined condition, the network address may be determined based on the hash value.
  • the information processing method may further include a step of generating the secret key.
  • generating the secret key until the hash value satisfies the predetermined condition; generating the public key; and generating the hash value. May be repeatedly executed.
  • the predetermined condition may include a condition associated with the first two digits of the hash value.
  • the predetermined condition may include a condition associated with the type of the device.
  • the step of generating the hash value may include the step of generating the hash value based on the public key, a value associated with a predetermined organization, and the predetermined hash function.
  • the value associated with the predetermined organization may be a value associated with a trademark of the predetermined organization.
  • the information processing method may further include a step of obtaining an electronic certificate associated with the public key from a certificate authority.
  • the information processing method may further include a step of transmitting the public key and the electronic certificate to an external device existing outside the device.
  • the electronic certificate may include information related to the attribute of the device.
  • the electronic certificate may include attribute information of a user associated with the device.
  • the electronic certificate is Attribute information of the device and / or a user associated with the device; A hash value of the entire attribute information; May be included.
  • a part of the attribute information may be hashed.
  • a part of the attribute information may be hashed based on a part of the attribute information and a predetermined coefficient.
  • the information processing method includes: Receiving a public key of the external device from an external device existing outside the device, Generating a hash value of the external device based on the public key of the external device and the predetermined hash function; Determining a network address of the external device based on a hash value of the external device.
  • the step of receiving the public key of the external device may include the step of receiving a public key of the external device and an electronic certificate associated with the public key.
  • the information processing method may further include a step of determining whether the electronic certificate is valid. When it is determined that the electronic certificate is valid, a hash value of the external device may be generated based on a public key of the external device.
  • the information processing method is executed by a processor of an apparatus, and includes a step of determining a network address of the apparatus based on a public key of the apparatus.
  • the information processing method may further include a step of executing communication using the network address of the device without using a server that manages the network address.
  • the information processing method may be executed in a network layer of the OSI reference model.
  • an information processing program for causing a computer to execute the information processing method is provided. Further, a computer-readable storage medium storing the information processing program is provided.
  • the information processing apparatus includes at least one processor and a memory that stores computer-readable instructions.
  • the information processing device is configured to execute the information processing method when the computer readable instruction is executed by the processor.
  • An information processing system includes a first device and a second device communicably connected to the first device.
  • the first device comprises: Generating a first public key of the first device based on a first secret key of the first device; Generating a first hash value based on the first public key and a predetermined hash function; Determining a first network address of the first device based on the first hash value; Transmitting the first public key to the second device;
  • the second device includes: Generating a second public key of the second device based on a second secret key of the second device; Generating a second hash value based on the second public key and the predetermined hash function; Determining a second network address of the second device based on the second hash value; Transmitting the second public key to the first device;
  • the first device comprises: Receiving the second public key from the second device; Generating the second hash value based on the second public key and the predetermined hash function; The second network address is determined based on the first
  • the first device includes: Sending the first public key to a certificate authority, Obtaining a first digital certificate associated with the first public key from the certificate authority; The first electronic certificate and the first public key may be transmitted to the second device.
  • the second device includes: Transmitting the second public key to the certificate authority or another certificate authority, Obtaining a second digital certificate associated with the second public key from the certificate authority or the another certificate authority, The second electronic certificate and the second public key may be transmitted to the first device.
  • the first device comprises: Receiving the second public key and the second digital certificate from the second device; It may be determined whether the second electronic certificate is valid.
  • the second device includes: Receiving the first public key and the first digital certificate from the first device; It may be determined whether the first digital certificate is valid.
  • an information processing method capable of improving a user experience or a user's convenience for connection to a communication network.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of an information processing apparatus according to an embodiment (hereinafter, referred to as an embodiment) of the present invention.
  • 13 is a flowchart illustrating an example of a process for determining an IP address of an information processing device.
  • FIG. 2 is a diagram illustrating an information processing apparatus and a server on the Internet.
  • FIG. 1 is a diagram illustrating an information processing system including two information processing apparatuses.
  • 9 is a flowchart illustrating an example of a process for determining an IP address of an external device.
  • 9 is a flowchart illustrating an example of a process of determining the validity of an electronic certificate transmitted from an external device.
  • FIG. 2 is a diagram illustrating an information processing system including four information processing apparatuses.
  • FIG. 7 is a diagram illustrating an example of an electronic certificate before and after a part of user attribute information is hashed.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of the information processing apparatus 2 according to the present embodiment.
  • the information processing device 2 (hereinafter, simply referred to as “device 2”) includes a control unit 20, a storage device 23, a network interface 25, a display unit 26, and an input operation unit 27. Prepare. These are communicably connected to each other via a bus 29.
  • the device 2 may be, for example, a personal computer, a smartphone, a tablet, or a wearable device (for example, a smart watch, AR glass, or the like) attached to a user's body (for example, an arm or a head).
  • the device 2 may be a control device installed in a smart home appliance, a connected car, a factory, or the like.
  • the type of the device 2 includes all objects that are connected to a communication network such as the Internet using an IP address (an example of a network address) and that include a processor and a memory.
  • the device 2 includes the display unit 26 and the input operation unit 27, but these are not essential components of the device 2.
  • the control unit 20 is configured to control the operation of the device 2, and includes a memory and a processor.
  • the memory is configured to store computer readable instructions (eg, an information processing program).
  • the memory may include a ROM (Read Only Memory) storing various programs and the like, a RAM (Random Access Memory) having a plurality of work areas storing various programs executed by the processor, and the like.
  • the memory may be constituted by a flash memory or the like.
  • the processor is, for example, a CPU, an MPU (Micro Processing). Unit) and at least one of a GPU (Graphics Processing Unit).
  • the CPU may be configured by a plurality of CPU cores.
  • the GPU may be configured by a plurality of GPU cores.
  • the processor may be configured to develop a program specified from various programs incorporated in the storage device 23 or the ROM on the RAM, and to execute various processes in cooperation with the RAM.
  • the processor executes the information processing program stored in the memory
  • the device 2 is configured to execute the information processing method according to the present embodiment.
  • the storage device 23 is, for example, a storage device (storage) such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory, and is configured to store programs and various data.
  • the information processing program according to the present embodiment transmitted from a server on the Internet may be stored in the storage device 23.
  • the network interface 25 is configured to connect the device 2 to a communication network.
  • the network interface 25 may include various wired connection terminals for communicating with an external device such as a server via a communication network.
  • the network interface 25 may include various processing circuits and an antenna for communicating with a wireless router or a wireless base station.
  • the wireless communication standard is, for example, Wi-Fi (registered trademark), Bluetooth (registered trademark), ZigBee (registered trademark), LPWA, or a fifth generation mobile communication system (5G).
  • the communication network includes at least one of a local area network (LAN), a wide area network (WAN), a radio access network (RAN), and the Internet.
  • the display unit 26 may be a display device such as a liquid crystal display or an organic EL display, or may be a transmissive or non-transmissive head mounted display mounted on the operator's head. Further, the display unit 26 may be a projector device that projects an image on a screen.
  • the input operation unit 27 is configured to receive an input operation of a user who operates the device 2 and generate an instruction signal corresponding to the input operation.
  • the input operation unit 27 is, for example, a touch panel arranged on the display unit 26, operation buttons attached to a housing, a mouse and / or a keyboard, and the like. After the instruction signal generated by the input operation unit 27 is transmitted to the control unit 20 via the bus 29, the control unit 20 performs a predetermined operation according to the instruction signal.
  • the display unit 26 and the input operation unit 27 may be connected to the device 2 via an input / output interface such as a USB.
  • FIG. 2 is a flowchart illustrating an example of a process for determining an IP address (for example, a global IP address) of the device 2.
  • the control unit 20 of the device 2 generates a secret key of the device 2 using a random number generator.
  • the random number generator may be realized by an OS program of the device 2 or may be realized as a hardware configuration (a logic circuit or the like) of the device 2.
  • the size of the generated secret key is, for example, 512 bits.
  • step S2 the control unit 20 generates a public key of the device 2 based on the generated secret key and a predetermined encryption algorithm.
  • the predetermined encryption algorithm is, for example, an elliptic curve encryption algorithm.
  • the size of the generated public key is, for example, 256 bits.
  • step S3 the control unit 20 generates a hash value based on the generated public key and a predetermined hash function.
  • the predetermined hash function is a cryptographic hash function, for example, BLAKE is used.
  • the size of the generated hash value is, for example, 256 bits.
  • the control unit 20 may generate a hash value based on the generated public key, a value associated with a predetermined organization, and a predetermined hash function in step S3.
  • an example of the value associated with the predetermined organization is a value associated with the trademark of the predetermined organization.
  • the trademark X for example, “connectFree”
  • the value of the trademark X may be used when generating the hash value. In this case, it is possible to prevent a third party other than the predetermined organization from creating an information processing program for executing the information processing method according to the present embodiment without permission of the predetermined organization.
  • step S4 determines whether or not the generated hash value satisfies the condition associated with the first two digits (first and second digits) of the hash value displayed in hexadecimal.
  • a determination is made (step S4).
  • step S5 the control unit 20 determines whether the hash value satisfies a condition associated with the type of the device 2 (step S5).
  • the type of the device 2 associated with the IP address can be specified according to the values of the third and fourth digits from the beginning of the IP address displayed in hexadecimal. For example, it is assumed that the values of the third and fourth digits from the head of the IP address and the type of the device have the following relationship.
  • the determination condition of S5 is satisfied.
  • the type of the device 2 is a personal computer.
  • the values of the third and fourth digits from the beginning of the IP address of the device 2 are “00”
  • the control unit 20 determines the IP address of the device 2 based on the hash value that satisfies the determination conditions of steps S4 and S5 (step S6). For example, when the size of the hash value is 256 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2, the control unit 20 sets the first half of the 64-digit hash value to 32 bits. The digit hash value may be determined as the IP address of the device 2. When the size of the hash value is 128 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2, the control unit 20 converts all values of the 32-digit hash value into The IP address of the device 2 may be determined.
  • the control unit 20 sets the first half of the 64-digit hash value to 8 bits.
  • the digit hash value may be determined as the IP address of the device 2.
  • a step of determining whether the determined IP address of the device 2 is the same as the IP address of another device may be provided. Specifically, after the processing in step S6, the device 2 transmits information on the IP address of the device 2 to the management server that manages the IP address via the communication network. The management server determines whether the IP address transmitted from the device 2 overlaps with one of the IP addresses included in the IP address management table stored in its own storage device. Here, if the IP address of the device 2 overlaps with one of the IP addresses included in the IP address management table, the management server may send a message to the device 2 to reject the registration of the IP address. Good.
  • the device 2 transmits the information on the IP address determined again after executing the processing of steps S1 to S6 again to the management server.
  • the management server transmits a message to the effect that the registration of the IP address is permitted to the device 2. Is also good.
  • step S7 the control unit 20 obtains an electronic certificate associated with the generated public key from a certificate authority of a predetermined organization. That is, the user of the device 2 registers the public key with the certificate authority and obtains an electronic certificate related to the registered public key from the certificate authority. More specifically, the control unit 20 transmits a request for issuing a public key and an electronic certificate (certificate signature request) to a server of a certificate authority via a communication network. Next, the server of the certification authority registers the public key and issues an electronic certificate associated with the public key in response to the received request for issuing the electronic certificate. Then, the server of the certificate authority transmits the electronic certificate to the device 2 via the communication network.
  • a certificate authority of a predetermined organization. That is, the user of the device 2 registers the public key with the certificate authority and obtains an electronic certificate related to the registered public key from the certificate authority. More specifically, the control unit 20 transmits a request for issuing a public key and an electronic certificate (certificate signature request) to a server of
  • the certificate authority of the predetermined organization may be an intermediate certificate authority of the predetermined organization. Further, when acquiring an electronic certificate related to a public key from a certificate authority, payment of a predetermined fee may be required.
  • an IP address unique to the device 2 is determined based on the public key of the device 2.
  • the device 2 can be connected to a communication network such as the Internet using the IP address determined by the device 2 itself.
  • the device 2 can connect to the Internet using an IP address determined by the device 2 itself without using a service provider (server) that manages a global IP address such as an ISP.
  • server service provider
  • the user U operating the device 2 uses the IP address determined by the device 2 itself to perform predetermined routing via the wireless LAN router 3 on the Internet 4.
  • the web server 6 can be accessed.
  • the device 2 can directly communicate with an external device using an IP address determined by the device 2 itself without using a server (for example, a DHCP server) that manages a private IP address (for details, See below).
  • a server for example, a DHCP server
  • a hash value that satisfies the conditions of steps S4 and S5 can be generated. That is, it is possible to generate an IP address associated with a hash value that satisfies the conditions of steps S4 and S5.
  • a hash value corresponding to the type of the device 2 can be generated. That is, an IP address corresponding to the type of the device 2 can be generated. Therefore, a third party can specify the type of the device 2 based on the IP address of the device 2.
  • the hash value is repeatedly generated until the determination conditions of steps S4 and S5 are satisfied, it is possible to surely generate the IP address associated with the hash value satisfying the conditions of steps S4 and S5. it can.
  • the public key is directly authenticated by the certificate authority through the acquisition of the electronic certificate, and the IP address determined based on the public key is also indirectly authenticated by the certificate authority.
  • the device 2 can connect to a communication network such as the Internet using the IP address indirectly authenticated by the certificate authority.
  • the secret key of the device 2 is generated using the random number generator of the device 2.
  • the secret key of the device 2 is provided by an external device communicably connected to the device 2. You may.
  • the order of each step shown in FIG. 2 is not particularly limited. For example, the process of step S6 may be performed after the process of step S7.
  • the electronic certificate associated with the public key may include information (attribute information) related to the attribute of the device 2.
  • the attribute information of the device 2 may include, for example, at least one of version information of an OS program of the device 2 and information on a serial number of hardware (for example, a processor or a storage device) constituting the device 2.
  • the attribute information of the device 2 included in the electronic certificate may be encrypted by a hash function or the like.
  • the device 2 when transmitting the request for issuing the public key and the electronic certificate (certificate signature request), the device 2 may transmit the attribute information of the device 2 to the server of the certificate authority.
  • the attribute information of the device 2 since the attribute information of the device 2 is included in the electronic certificate, it is authenticated that the electronic certificate has been issued according to the request of the device 2. For this reason, it is suitably prevented that a device other than the device 2 uses the public key and the electronic certificate of the device 2.
  • the electronic certificate may also include attribute information of a user associated with the device 2 (for example, a user who owns the device 2).
  • attribute information of a user associated with the device 2 for example, a user who owns the device 2.
  • an example of the user's attribute information is the user's name, identification number, contact information, age, gender, address, or credit card information.
  • the WEB server can check the user attribute information included in the electronic certificate. Therefore, the user of the device 2 can use an online service (such as an EC site) provided by the WEB server without registering the user information or the like. That is, the user of the device 2 can be released from the trouble of managing the login information (login ID and login password) of each online service, so that a rich online experience can be provided to the user.
  • the hash value of the attribute information of the device 2 and / or the attribute information of the user (hereinafter, may be simply referred to as “attribute information”) described in the electronic certificate may be included in the electronic certificate.
  • the hash value is generated based on the attribute information and the cryptographic hash function.
  • the attribute information described in the electronic certificate is falsified by a third party, the hash value changes, so that the falsification of the attribute information can be detected based on the hash value.
  • the external device calculates the hash value of the attribute information of the electronic certificate so that the calculated hash value matches the hash value indicated in the electronic certificate. It is determined whether or not to do.
  • the external device determines that the attribute information of the digital certificate has not been falsified. On the other hand, if the two do not match, the external device determines that the attribute information of the electronic certificate has been falsified.
  • the hash value of all the contents described in the electronic certificate may be included in the electronic certificate.
  • the hash value changes, so the description content of the digital certificate is changed based on the hash value. It is possible to detect tampering by three parties.
  • the electronic certificate includes the attribute information of the device 2 and / or the attribute information of the user.
  • all the attribute information described in the electronic certificate may be transmitted to the external device, or some of the attribute information described in the electronic certificate may not be transmitted to the external device. That is, some attribute information described in the electronic certificate may be hashed by the hash function.
  • the user can hash an address, credit card information, and the like in the user attribute information 40 described in the electronic certificate 8 through an input operation on the device 2.
  • the external device that has received the electronic certificate 8 from the device 2 cannot specify the address and the credit card information in the user attribute information 40 described in the electronic certificate 8, but the user other than the address and the credit card information
  • the attribute information 40 can be specified.
  • the hash values of all the attribute information when all the attribute information are in the display state are all the hash values when some of the attribute information is in the non-display (hash) state. Matches the hash value of the attribute information.
  • the hash value of all the description contents described in the electronic certificate when all the attribute information is in the display state is the same as the hash value when some of the attribute information is in the non-display (hash) state. It matches the hash value of all the contents described in the electronic certificate. In other words, even if a part of the attribute information is hashed, the hash value of all the attribute information or the hash value of all the description contents described in the digital certificate does not change. Tampering with the electronic certificate can be easily detected.
  • the non-display (hashing) of some attribute information may be set in advance by the user or may be changeable in response to a request from an external device. It is assumed that the original attribute information is grasped based on the hash value of the attribute information by referring to the database indicating the relationship between the hash value and the original information. In order to prevent such a situation, the original attribute information may be hashed based on a predetermined coefficient and the original attribute information. In this case, the predetermined coefficient may be a constant, or may be a variable that changes based on predetermined information (for example, date information of an electronic certificate).
  • FIG. 4 is a diagram illustrating an information processing system 30 including an information processing device 2A (hereinafter, simply referred to as “device 2A”) and an information processing device 2B (hereinafter, simply referred to as “device 2B”).
  • FIG. 5 is a flowchart illustrating an example of a process for determining an IP address of an external device.
  • the number of information processing devices that are communicably connected to each other is two.
  • the number may be three or more.
  • Each of the devices 2A and 2B has the hardware configuration of the device 2 shown in FIG.
  • each of the devices 2A and 2B has already executed the processing for determining the IP address shown in FIG. That is, it is assumed that the device 2A has already executed the process of determining the IP address of the device 2A. Therefore, as shown in FIG. 4, the device 2A has already generated the public key 7A associated with the IP address of the device 2A, and has already issued the electronic certificate 8A associated with the public key 7A from the certificate authority. It is assumed that it has been acquired. Similarly, it is assumed that the device 2B has already executed the process of determining the IP address of the device 2B. Therefore, as shown in FIG. 4, the device 2B has already generated the public key 7B associated with the IP address of the device 2B, and has already issued the digital certificate 8B associated with the public key 7B from the certificate authority. It is assumed that it has been acquired.
  • step S10 the device 2A (specifically, the control unit 20 of the device 2A) sends a public key 7A and an electronic certificate 8A associated with the public key 7A to the outside of the device 2A. (Broadcast). Thereafter, the device 2B existing near the device 2A receives the public key 7A and the electronic certificate 8A broadcast from the device 2A.
  • step S11 the device 2B (specifically, the control unit 20 of the device 2B) transmits (broadcasts) the public key 7B and the electronic certificate 8B associated with the public key 7B to the outside of the device 2B. I do. Thereafter, the device 2A receives the public key 7B and the electronic certificate 8B broadcast from the device 2B. Note that the process of step S11 may be performed simultaneously with the process of step S10, or may be performed before the process of step S10.
  • step S12 the device 2B determines whether the digital certificate 8A broadcast from the device 2A is valid.
  • the process of determining the validity of the electronic certificate 8A that is, the process of step S12 will be described below with reference to FIG.
  • the device 2B determines the integrity of the electronic certificate 8A. Specifically, the device 2B checks the owner information of the electronic certificate 8A, the issuer information of the electronic certificate 8A, and the digital signature of the issuer. Next, in step S21, the device 2B determines the expiration date of the electronic certificate 8A. Thereafter, in step S22, the device 2B determines the reliability of the issuer of the electronic certificate 8A. In particular, when the certificate authority that has issued the digital certificate 8A is an intermediate certificate authority, the device 2B specifies the root certificate authority of the intermediate certificate authority that has issued the digital certificate 8A, and determines that the specified root certificate authority is Determine if you can trust. For example, if the specified root certificate authority is included in the information on a plurality of root certificate authorities stored in the memory of the device 2B, it is determined that the issuer of the electronic certificate 8A is reliable.
  • the device 2B when determining that the electronic certificate 8A is valid, the device 2B generates a hash value based on the public key 7A and a predetermined hash function (step S13).
  • the predetermined hash function is a cryptographic hash function such as BLAKE as described above. Further, in the present embodiment, it is assumed that the hash function used by the device 2B and the hash function used by the device 2A are the same.
  • the device 2B determines the IP address of the device 2A based on the generated hash value. For example, as described above, when the size of the hash value is 256 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2A, the device 2B generates the 64-digit hash value. Of the first half may be determined as the IP address of the device 2A.
  • step S15 the device 2A determines whether the electronic certificate 8B broadcast from the device 2B is valid.
  • the specific contents of the processing in step S15 are as shown in FIG.
  • the device 2A when determining that the electronic certificate 8B is valid, the device 2A generates a hash value based on the public key 7B and a predetermined hash function (Step S16). Further, as described above, the hash function used by the device 2A is the same as the hash function used by the device 2B.
  • step S17 the device 2A determines the IP address of the device 2B based on the generated hash value. Similarly to the processing in step S14, when the size of the hash value is 256 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2B, the device 2A uses the 64-digit hash value. May be determined as the IP address of the device 2B.
  • the device 2A can know the IP addresses of the devices 2A and 2B, and the device 2B can know the IP addresses of the devices 2A and 2B. Therefore, the devices 2A and 2B can be directly connected to each other without using a server that manages an IP address (that is, P2P communication with the devices 2A and 2B without a server can be realized).
  • a server that manages an IP address that is, P2P communication with the devices 2A and 2B without a server can be realized.
  • VPN virtual private network
  • the device 2A can transmit a message to the device 2B without passing through a mail server or the like, it is possible to avoid a situation where the message of the device 2A is grasped by a third party (for example, a server administrator or the like). It becomes possible. Further, the device 2A can transmit image data indicating the screen screen of the device 2A to the device 2B without going through the VPN server. On the other hand, the device 2B can transmit an operation signal for operating the screen screen of the device 2A to the device 2A without going through the VPN server. Thus, the user of the device 2B can remotely operate the device 2A. Further, the device 2A and the device 2B can share an electronic file with each other without going through a file exchange server. Therefore, it is possible to avoid a situation where the shared electronic file is grasped by a third party.
  • a third party for example, a server administrator or the like.
  • the transmission message may be encrypted.
  • the transmission message may be encrypted with a common key generated based on the public key 7A of the device 2A and the public key 7B of the device 2B. Further, the common key may be changed each time a session between the device 2A and the device 2B is established. Thus, it is possible to realize secure communication between the device 2A and the device 2B.
  • the hash value of the external device is generated based on the public key of the external device.
  • the IP address of the external device is determined based on the hash value of the external device (here, the device 2B is an external device when viewed from the device 2A, while the device 2A is determined when viewed from the device 2B). Is an external device.).
  • the device 2A can confirm that the received public key 7B is the public key of the device 2B.
  • the device 2A can confirm that the IP address generated based on the public key 7B is the IP address of the device 2B. Therefore, the device 2A can reliably acquire the IP address of the device 2B, and can reliably communicate with the device 2B using the IP address of the device 2B.
  • the device 2B can confirm that the received public key 7A is the public key of the device 2A. Further, the device 2B can confirm that the IP address generated based on the public key 7A is the IP address of the device 2A. Therefore, the device 2B can reliably acquire the IP address of the device 2A and can reliably communicate with the device 2A using the IP address of the device 2A.
  • the information processing system may include three or more information processing devices.
  • the information processing system 30A has four information processing devices 2A to 2D (hereinafter, simply referred to as “devices 2A to 2D”).
  • each of the devices 2A to 2D has the hardware configuration of the device 2 shown in FIG.
  • each of the devices 2A to 2D executes each processing executed by the device 2A or 2B shown in FIG.
  • the device 2A broadcasts the public key and the electronic certificate of the device 2A to the outside, and receives the public key and the electronic certificate from each of the devices 2B to 2D existing near the device 2A.
  • the device 2B broadcasts the public key and the electronic certificate of the device 2B to the outside, and receives the public key and the electronic certificate from each of the devices 2A, 2C, and 2D.
  • the device 2C broadcasts the public key and the electronic certificate of the device 2C to the outside, and receives the public key and the electronic certificate from each of the devices 2A, 2B, and 2D.
  • the device 2D broadcasts the public key and the electronic certificate of the device 2D to the outside, and receives the public key and the electronic certificate from each of the devices 2A to 2C.
  • the device 2A determines the IP addresses of the devices 2B to 2D.
  • the device 2B determines the IP addresses of the devices 2A, 2C, and 2D.
  • the device 2C determines the IP addresses of the devices 2A, 2B, and 2D.
  • the device 2D determines the IP addresses of the devices 2A to 2C.
  • each of the devices 2A-2D can be directly connected to three external devices using the IP addresses of the devices 2A-2D.
  • a mesh network can be configured by the devices 2A to 2D.
  • the connection of the devices 2A to 2D may be through a predetermined routing in a communication network.
  • the devices 2A to 2D can be connected to each other to form an optimal path.
  • a mesh network is configured by the devices 2A to 2D, but the present embodiment is not limited to this. Not something.
  • the devices 2A and 2B may use a second hash function different from the first hash function.
  • the devices 2A and 2B are communicably connected to each other, and the devices 2C and 2D are communicably connected to each other.
  • the devices 2A and 2B are not communicably connected to the devices 2C and 2D.
  • two communication network groups can be constructed in the information processing system 30A by using two different hash functions.
  • an information processing program may be pre-installed in the storage device 23 or the ROM.
  • the information processing program includes a magnetic disk (for example, HDD, floppy disk), an optical disk (for example, CD-ROM, DVD-ROM, Blu-ray (registered trademark) disk), a magneto-optical disk (for example, MO), and a flash. It may be stored in a computer-readable storage medium such as a memory (for example, an SD card, a USB memory, or an SSD).
  • a computer-readable storage medium such as a memory (for example, an SD card, a USB memory, or an SSD).
  • an information processing program stored in a computer-readable storage medium may be incorporated in the storage device 23.
  • the processor may execute the information processing program loaded on the RAM.
  • the information processing method according to the present embodiment is executed by the device 2.
  • the information processing program may be stored in a storage medium (for example, HDD) of a server on a communication network such as the Internet.
  • the information processing program may be downloaded from the server via the network interface 25.
  • the downloaded information processing program may be incorporated in the storage device 23.
  • the information processing program (information processing method) according to the present embodiment is executed by a network layer in an OSI (Open ⁇ Systems ⁇ Interconnection) reference model. Therefore, secure communication can be realized in the transport layer, session layer, presentation layer, and application layer of the OSI reference model, and the existing application programs and physical infrastructure can be applied as they are.
  • OSI Open ⁇ Systems ⁇ Interconnection
  • the device 2 may acquire an electronic certificate associated with the public key of the device 2 from certificate authorities of a plurality of organizations.
  • the electronic certificate may include information related to the attribute of the organization of the certificate authority.
  • the electronic certificate may include information related to the attribute of organization X.
  • the device 2A obtains a plurality of digital certificates 8A from certificate authorities of a plurality of different organizations
  • the device 2B obtains a plurality of digital certificates from certificate authorities of a plurality of different organizations.
  • Letter 8B is obtained.
  • the device 2A transmits the public key 7A and the plurality of digital certificates 8A to the device 2B in step S10.
  • the device 2B transmits the public key 7B and the plurality of digital certificates 8B to the device 2A in step S11.
  • step S12 after determining whether each of the plurality of digital certificates 8A is valid, at step S12, at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8A determines It may be determined whether it is included in the organization list indicating the organizations of the plurality of certificate authorities stored in the memory of the device 2B. Specifically, the device 2B determines at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8A based on information related to the attribute of the organization included in the digital certificate 8A and the organization list. It may be determined whether or not one is included in the organization list. The device 2B may execute the processing of steps S13 and S14 when at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8A is included in the organization list.
  • the device 2A determines in step S15 whether each of the plurality of digital certificates 8B is valid, and then determines at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8B. It may be determined whether or not one is included in the organization list indicating a plurality of organizations stored in the memory of the device 2A. Specifically, the device 2A determines at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8B based on the information related to the attribute of the organization included in the electronic certificate 8B and the organization list. It may be determined whether one is included in the organization list. The device 2A may execute the processing of steps S16 and S17 when at least one of the plurality of organizations that issued the plurality of digital certificates 8B is included in the organization list.
  • the organization that has issued the electronic certificate of the public key 7A is included in the organization list stored in the device 2B, and the organization that has issued the electronic certificate of the public key 7B is included in the organization list stored in the device 2A. If included, device 2A and device 2B may be directly connected to each other. That is, it is possible to select a communication partner according to the condition related to the organization that has issued the electronic certificate, and to construct a plurality of communication network groups in the information processing system.
  • the devices 2A and 2B have acquired a plurality of digital certificates.
  • the determination related to the organization that issued the digital certificate has been performed. Processing related to the condition may be applied. For example, when the organization of the certificate authority that issued the digital certificate of the device 2A and the organization of the certificate authority that issued the digital certificate of the device 2B are different from each other, the processes of steps S13 and S14 (steps S16 and S17) are not performed. It need not be executed.
  • an IP address that is a network address compatible with the Internet protocol is described as an example of the network address of the devices 2A and 2B, but the network address is not limited to the IP address.
  • the network addresses of the devices 2A and 2B may be network addresses corresponding to a predetermined communication protocol other than the Internet protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
  • Alarm Systems (AREA)
  • Computer And Data Communications (AREA)
  • Hardware Redundancy (AREA)

Abstract

This information processing method is executed by a processor of an apparatus, and comprises a step (S2) for generating a public key of the apparatus on the basis of a secret key of the apparatus; a step (S3) for generating a hash value on the basis of the public key and a predetermined hash function; and a step (S6) for determining an IP address of the apparatus on the basis of the hash value.

Description

情報処理方法、情報処理プログラム、情報処理装置及び情報処理システムInformation processing method, information processing program, information processing apparatus, and information processing system
 本開示は、情報処理方法、情報処理プログラム、情報処理装置及び情報処理システムに関する。 The present disclosure relates to an information processing method, an information processing program, an information processing device, and an information processing system.
 近年の情報通信技術の発展は目覚ましく、パーソナルコンピュータ、スマートフォンやタブレットだけでなく、自動車、家電、センサ装置等のあらゆるモノ(things)がインターネット等の通信ネットワークに接続されつつある。このように、地球上の数兆個の装置が通信ネットワークに接続されるIoT(Internet of Things)社会が近い将来に到来することが予想されている(特許文献1を参照)。 情報 In recent years, the development of information and communication technology has been remarkable, and not only personal computers, smartphones and tablets, but also everything such as automobiles, home appliances, and sensor devices are being connected to communication networks such as the Internet. Thus, an IoT (Internet of Things) society in which trillions of devices on the earth are connected to a communication network is expected to arrive in the near future (see Patent Document 1).
日本国特表2016-515328号公報Japanese Patent Publication No. 2016-515328
 ところで、特許文献1に開示されているように、現在のIoT技術では、インターネットサービス事業者(ISP)がインターネットに接続される各デバイスのIPアドレスを管理している。例えば、所定の装置がインターネットに接続される場合、ISPが当該所定の装置にIPアドレスを割り当てる。その後、当該所定の装置は、ISPによって割り当てられたIPアドレスを用いてインターネット上のWEBサーバにアクセスすることが可能となる。このように、インターネット等の通信ネットワークに装置を接続させる場合では、ISP等のIPアドレスを管理する事業者の介入が必要となっており、通信ネットワークへの接続に対するユーザ体験又はユーザの利便性を向上させる点で改善の余地がある。 By the way, as disclosed in Patent Document 1, in the current IoT technology, an Internet service provider (ISP) manages the IP address of each device connected to the Internet. For example, when a predetermined device is connected to the Internet, the ISP assigns an IP address to the predetermined device. Thereafter, the predetermined device can access a web server on the Internet using the IP address assigned by the ISP. As described above, in the case where the device is connected to a communication network such as the Internet, intervention of a business operator that manages an IP address such as an ISP is required, and a user experience or a user's convenience in connecting to the communication network is required. There is room for improvement in terms of improvement.
 本開示は、通信ネットワークへの接続に対するユーザ体験又はユーザの利便性を向上させることが可能な情報処理方法、情報処理プログラム、情報処理装置及び情報処理システムを提供することを目的とする。 The present disclosure aims to provide an information processing method, an information processing program, an information processing apparatus, and an information processing system capable of improving a user experience or a user's convenience for connection to a communication network.
 本開示の一態様に係る情報処理方法は、装置のプロセッサによって実行され、
 前記装置の秘密鍵に基づいて前記装置の公開鍵を生成するステップと、
 前記公開鍵と所定のハッシュ関数に基づいてハッシュ値を生成するステップと、
 前記ハッシュ値に基づいて前記装置のネットワークアドレスを決定するステップと、
を含む。 An information processing method according to an aspect of the present disclosure is executed by a processor of an apparatus,
Generating a public key of the device based on a secret key of the device;
Generating a hash value based on the public key and a predetermined hash function;
Determining a network address of the device based on the hash value;
including.
 また、前記情報処理方法は、前記秘密鍵を生成するステップをさらに含んでもよい。 The information processing method may further include a step of generating the secret key.
 また、前記情報処理方法は、前記装置の外部に存在する外部装置に前記公開鍵を送信するステップをさらに含んでもよい。 The information processing method may further include a step of transmitting the public key to an external device existing outside the device.
 また、前記情報処理方法は、前記ハッシュ値が所定の条件を満たすかどうか判定するステップをさらに含んでもよい。前記ハッシュ値が前記所定の条件を満たす場合に、前記ハッシュ値に基づいて前記ネットワークアドレスが決定されてもよい。 The information processing method may further include a step of determining whether the hash value satisfies a predetermined condition. When the hash value satisfies the predetermined condition, the network address may be determined based on the hash value.
 また、前記情報処理方法は、前記秘密鍵を生成するステップをさらに含んでもよい。
 前記ハッシュ値が前記所定の条件を満たさない場合に、前記ハッシュ値が前記所定の条件を満たすまで前記秘密鍵を生成するステップと、前記公開鍵を生成するステップと、前記ハッシュ値を生成するステップが繰り返し実行されてもよい。 Further, the information processing method may further include a step of generating the secret key.
When the hash value does not satisfy the predetermined condition, generating the secret key until the hash value satisfies the predetermined condition; generating the public key; and generating the hash value. May be repeatedly executed.
 また、前記所定の条件は、前記ハッシュ値のうちの先頭の2桁の値に関連付けられた条件を含んでもよい。 The predetermined condition may include a condition associated with the first two digits of the hash value.
 また、前記所定の条件は、前記装置の種類に関連付けられた条件を含んでもよい。 The predetermined condition may include a condition associated with the type of the device.
 また、前記ハッシュ値を生成するステップは、前記公開鍵と、所定の組織に関連付けられた値と、前記所定のハッシュ関数に基づいて前記ハッシュ値を生成するステップを含んでもよい。 The step of generating the hash value may include the step of generating the hash value based on the public key, a value associated with a predetermined organization, and the predetermined hash function.
 また、前記所定の組織に関連付けられた値は、前記所定の組織の商標に関連付けられた値であってもよい。 The value associated with the predetermined organization may be a value associated with a trademark of the predetermined organization.
 また、前記情報処理方法は、前記公開鍵に関連付けられた電子証明書を認証局から取得するステップをさらに含んでもよい。 The information processing method may further include a step of obtaining an electronic certificate associated with the public key from a certificate authority.
 また、前記情報処理方法は、前記装置の外部に存在する外部装置に前記公開鍵と前記電子証明書を送信するステップとをさらに含んでもよい。 The information processing method may further include a step of transmitting the public key and the electronic certificate to an external device existing outside the device.
 また、前記電子証明書は、前記装置の属性に関連する情報を含んでもよい。 The electronic certificate may include information related to the attribute of the device.
 また、前記電子証明書は、前記装置に関連付けられたユーザの属性情報を含んでもよい。 The electronic certificate may include attribute information of a user associated with the device.
 また、前記電子証明書は、
 前記装置及び/又は前記装置に関連付けられたユーザの属性情報と、
 前記属性情報の全体のハッシュ値と、
を含んでもよい。 Also, the electronic certificate is
Attribute information of the device and / or a user associated with the device;
A hash value of the entire attribute information;
May be included.
 また、前記属性情報の一部がハッシュされてもよい。 In addition, a part of the attribute information may be hashed.
 また、前記属性情報の一部と所定の係数とに基づいて、前記属性情報の一部がハッシュされてもよい。 Further, a part of the attribute information may be hashed based on a part of the attribute information and a predetermined coefficient.
 また、前記情報処理方法は、
 前記装置の外部に存在する外部装置から前記外部装置の公開鍵を受信するステップと、
 前記外部装置の公開鍵と前記所定のハッシュ関数に基づいて前記外部装置のハッシュ値を生成するステップと、
 前記外部装置のハッシュ値に基づいて前記外部装置のネットワークアドレスを決定するステップと、をさらに含んでもよい。 Further, the information processing method includes:
Receiving a public key of the external device from an external device existing outside the device,
Generating a hash value of the external device based on the public key of the external device and the predetermined hash function;
Determining a network address of the external device based on a hash value of the external device.
 また、前記外部装置の公開鍵を受信するステップは、前記外部装置の公開鍵と当該公開鍵に関連付けられた電子証明書を受信するステップを含んでもよい。前記情報処理方法は、前記電子証明書が正当であるかどうかを判定するステップをさらに含んでもよい。前記電子証明書が正当であると判定された場合に、前記外部装置の公開鍵に基づいて前記外部装置のハッシュ値が生成されてもよい。 The step of receiving the public key of the external device may include the step of receiving a public key of the external device and an electronic certificate associated with the public key. The information processing method may further include a step of determining whether the electronic certificate is valid. When it is determined that the electronic certificate is valid, a hash value of the external device may be generated based on a public key of the external device.
 本開示の一態様に係る情報処理方法は、装置のプロセッサによって実行され、前記装置の公開鍵に基づいて前記装置のネットワークアドレスを決定するステップを含む。 << The information processing method according to an aspect of the present disclosure is executed by a processor of an apparatus, and includes a step of determining a network address of the apparatus based on a public key of the apparatus.
 また、前記情報処理方法は、ネットワークアドレスを管理するサーバを介せずに、前記装置のネットワークアドレスを用いた通信を実行するステップをさらに含んでもよい。 The information processing method may further include a step of executing communication using the network address of the device without using a server that manages the network address.
 また、OSI参照モデルのネットワーク層において前記情報処理方法が実行されてもよい。 The information processing method may be executed in a network layer of the OSI reference model.
 また、前記情報処理方法をコンピュータに実行させるための情報処理プログラムが提供される。さらに、当該情報処理プログラムが保存されたコンピュータ読取可能な記憶媒体が提供される。 Also, an information processing program for causing a computer to execute the information processing method is provided. Further, a computer-readable storage medium storing the information processing program is provided.
 本開示の一態様に係る情報処理装置は、少なくとも一つのプロセッサと、コンピュータ可読命令を記憶するメモリとを備える。前記コンピュータ可読命令が前記プロセッサにより実行されると、前記情報処理装置は、前記情報処理方法を実行するように構成されている。 The information processing apparatus according to an embodiment of the present disclosure includes at least one processor and a memory that stores computer-readable instructions. The information processing device is configured to execute the information processing method when the computer readable instruction is executed by the processor.
 本開示に一態様に係る情報処理システムは、第1装置と前記第1装置に通信可能に接続される第2装置とを含む。
 前記第1装置は、
 前記第1装置の第1秘密鍵に基づいて前記第1装置の第1公開鍵を生成し、
 前記第1公開鍵と所定のハッシュ関数に基づいて第1ハッシュ値を生成し、
 前記第1ハッシュ値に基づいて前記第1装置の第1のネットワークアドレスを決定し、
 前記第1公開鍵を前記第2装置に送信する。
 前記第2装置は、
 前記第2装置の第2秘密鍵に基づいて前記2装置の第2公開鍵を生成し、
 前記第2公開鍵と前記所定のハッシュ関数に基づいて第2ハッシュ値を生成し、
 前記第2ハッシュ値に基づいて前記第2装置の第2のネットワークアドレスを決定し、
 前記第2公開鍵を前記第1装置に送信する。
 前記第1装置は、
 前記第2装置から前記第2公開鍵を受信し、
 前記第2公開鍵と前記所定のハッシュ関数に基づいて前記第2ハッシュ値を生成し、
 前記第2ハッシュ値に基づいて前記第2のネットワークアドレスを決定する。
 前記第2装置は、
 前記第1装置から前記第1公開鍵を受信し、
 前記第1公開鍵と前記所定のハッシュ関数に基づいて前記第1ハッシュ値を生成し、
 前記第1ハッシュ値に基づいて前記第1のネットワークアドレスを決定する。 An information processing system according to an embodiment of the present disclosure includes a first device and a second device communicably connected to the first device.
The first device comprises:
Generating a first public key of the first device based on a first secret key of the first device;
Generating a first hash value based on the first public key and a predetermined hash function;
Determining a first network address of the first device based on the first hash value;
Transmitting the first public key to the second device;
The second device includes:
Generating a second public key of the second device based on a second secret key of the second device;
Generating a second hash value based on the second public key and the predetermined hash function;
Determining a second network address of the second device based on the second hash value;
Transmitting the second public key to the first device;
The first device comprises:
Receiving the second public key from the second device;
Generating the second hash value based on the second public key and the predetermined hash function;
The second network address is determined based on the second hash value.
The second device includes:
Receiving the first public key from the first device;
Generating the first hash value based on the first public key and the predetermined hash function;
The first network address is determined based on the first hash value.
 また、前記第1装置は、
 認証局に前記第1公開鍵を送信し、
 前記認証局から前記第1公開鍵に関連付けられた第1電子証明書を取得し、
 前記第1電子証明書と前記第1公開鍵を前記第2装置に送信してもよい。
 前記第2装置は、
 前記認証局又は別の認証局に前記第2公開鍵を送信し、
 前記認証局又は前記別の認証局から前記第2公開鍵に関連付けられた第2電子証明書を取得し、
 前記第2電子証明書と前記第2公開鍵を前記第1装置に送信してもよい。
 前記第1装置は、
 前記第2装置から前記第2公開鍵及び前記第2電子証明書を受信し、
 前記第2電子証明書が正当であるかどうかを判定してもよい。
 前記第2装置は、
 前記第1装置から前記第1公開鍵及び前記第1電子証明書を受信し、
 前記第1電子証明書が正当であるかどうかを判定してもよい。 Further, the first device includes:
Sending the first public key to a certificate authority,
Obtaining a first digital certificate associated with the first public key from the certificate authority;
The first electronic certificate and the first public key may be transmitted to the second device.
The second device includes:
Transmitting the second public key to the certificate authority or another certificate authority,
Obtaining a second digital certificate associated with the second public key from the certificate authority or the another certificate authority,
The second electronic certificate and the second public key may be transmitted to the first device.
The first device comprises:
Receiving the second public key and the second digital certificate from the second device;
It may be determined whether the second electronic certificate is valid.
The second device includes:
Receiving the first public key and the first digital certificate from the first device;
It may be determined whether the first digital certificate is valid.
 本開示によれば、通信ネットワークへの接続に対するユーザ体験又はユーザの利便性を向上させることが可能な情報処理方法、情報処理プログラム、情報処理装置及び情報処理システムを提供することができる。 According to the present disclosure, it is possible to provide an information processing method, an information processing program, an information processing apparatus, and an information processing system capable of improving a user experience or a user's convenience for connection to a communication network.
本発明の実施形態(以下、本実施形態という。)に係る情報処理装置のハードウェア構成の一例を示す図である。1 is a diagram illustrating an example of a hardware configuration of an information processing apparatus according to an embodiment (hereinafter, referred to as an embodiment) of the present invention. 情報処理装置のIPアドレスを決定する処理の一例を説明するためのフローチャートである。13 is a flowchart illustrating an example of a process for determining an IP address of an information processing device. 情報処理装置とインターネット上のサーバとを示す図である。FIG. 2 is a diagram illustrating an information processing apparatus and a server on the Internet. 2つの情報処理装置を含む情報処理システムを示す図である。FIG. 1 is a diagram illustrating an information processing system including two information processing apparatuses. 外部装置のIPアドレスを決定する処理の一例を説明するためのフローチャートである。9 is a flowchart illustrating an example of a process for determining an IP address of an external device. 外部装置から送信された電子証明書の正当性を判定する処理の一例を示すフローチャートである。9 is a flowchart illustrating an example of a process of determining the validity of an electronic certificate transmitted from an external device. 4つの情報処理装置を含む情報処理システムを示す図である。FIG. 2 is a diagram illustrating an information processing system including four information processing apparatuses. ユーザ属性情報の一部がハッシュされる前後の電子証明書の一例を示す図である。FIG. 7 is a diagram illustrating an example of an electronic certificate before and after a part of user attribute information is hashed.
 以下、本実施形態について図面を参照しながら説明する。最初に、図1を参照して本発明の実施形態(以下、単に「本実施形態」という。)に係る情報処理装置2のハードウェア構成について以下に説明する。 Hereinafter, the present embodiment will be described with reference to the drawings. First, a hardware configuration of an information processing apparatus 2 according to an embodiment of the present invention (hereinafter, simply referred to as “the present embodiment”) will be described with reference to FIG.
 図1は、本実施形態に係る情報処理装置2のハードウェア構成の一例を示す図である。図1に示すように、情報処理装置2(以下、単に「装置2」という。)は、制御部20と、記憶装置23と、ネットワークインターフェース25と、表示部26と、入力操作部27とを備える。これらは、バス29を介して互いに通信可能に接続されている。 FIG. 1 is a diagram illustrating an example of a hardware configuration of the information processing apparatus 2 according to the present embodiment. As shown in FIG. 1, the information processing device 2 (hereinafter, simply referred to as “device 2”) includes a control unit 20, a storage device 23, a network interface 25, a display unit 26, and an input operation unit 27. Prepare. These are communicably connected to each other via a bus 29.
 装置2は、例えば、パーソナルコンピュータ、スマートフォン、タブレット、ユーザの身体(例えば、腕や頭等)に装着されるウェアラブルデバイス(例えば、スマートウォッチやARグラス等)であってもよい。また、装置2は、スマート家電、コネクティッド自動車、工場等に設置された制御機器であってもよい。このように、装置2の種類は、IPアドレス(ネットワークアドレスの一例)を用いてインターネット等の通信ネットワークに接続されると共に、プロセッサとメモリを備える全てのモノが対象となる。本実施形態では、装置2は、表示部26と、入力操作部27を備えるが、これらは装置2の必須の構成要素ではない。 The device 2 may be, for example, a personal computer, a smartphone, a tablet, or a wearable device (for example, a smart watch, AR glass, or the like) attached to a user's body (for example, an arm or a head). The device 2 may be a control device installed in a smart home appliance, a connected car, a factory, or the like. As described above, the type of the device 2 includes all objects that are connected to a communication network such as the Internet using an IP address (an example of a network address) and that include a processor and a memory. In the present embodiment, the device 2 includes the display unit 26 and the input operation unit 27, but these are not essential components of the device 2.
 制御部20は、装置2の動作を制御するように構成されており、メモリとプロセッサを備えている。メモリは、コンピュータ可読命令(例えば、情報処理プログラム)を記憶するように構成されている。例えば、メモリは、各種プログラム等が格納されたROM(Read Only Memory)及びプロセッサにより実行される各種プログラム等が格納される複数のワークエリアを有するRAM(Random Access Memory)等から構成されてもよい。また、メモリは、フラッシュメモリ等によって構成されてもよい。プロセッサは、例えば、CPU、MPU(Micro Processing
 Unit)及びGPU(Graphics Processing Unit)のうちの少なくとも一つを含む。CPUは、複数のCPUコアによって構成されてもよい。GPUは、複数のGPUコアによって構成されてもよい。プロセッサは、記憶装置23又はROMに組み込まれた各種プログラムから指定されたプログラムをRAM上に展開し、RAMとの協働で各種処理を実行するように構成されてもよい。特に、プロセッサがメモリに記憶された情報処理プログラムを実行することで、装置2は本実施形態に係る情報処理方法を実行するように構成される。 The control unit 20 is configured to control the operation of the device 2, and includes a memory and a processor. The memory is configured to store computer readable instructions (eg, an information processing program). For example, the memory may include a ROM (Read Only Memory) storing various programs and the like, a RAM (Random Access Memory) having a plurality of work areas storing various programs executed by the processor, and the like. . Further, the memory may be constituted by a flash memory or the like. The processor is, for example, a CPU, an MPU (Micro Processing).
Unit) and at least one of a GPU (Graphics Processing Unit). The CPU may be configured by a plurality of CPU cores. The GPU may be configured by a plurality of GPU cores. The processor may be configured to develop a program specified from various programs incorporated in the storage device 23 or the ROM on the RAM, and to execute various processes in cooperation with the RAM. In particular, when the processor executes the information processing program stored in the memory, the device 2 is configured to execute the information processing method according to the present embodiment.
 記憶装置23は、例えば、HDD(Hard Disk Drive)、SSD(Solid State Drive)、フラッシュメモリ等の記憶装置(ストレージ)であって、プログラムや各種データを格納するように構成されている。記憶装置23には、インターネット上のサーバから送信された本実施形態に係る情報処理プログラムが保存されてもよい。 The storage device 23 is, for example, a storage device (storage) such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory, and is configured to store programs and various data. The information processing program according to the present embodiment transmitted from a server on the Internet may be stored in the storage device 23.
 ネットワークインターフェース25は、装置2を通信ネットワークに接続するように構成されている。具体的には、ネットワークインターフェース25は、通信ネットワークを介してサーバ等の外部装置と通信するための各種有線接続端子を含んでもよい。また、ネットワークインターフェース25は、無線ルータ若しくは無線基地局と通信するための各種処理回路及びアンテナ等を含んでもよい。無線通信の規格は、例えば、Wi-Fi(登録商標)、Bluetooth(登録商標)、ZigBee(登録商標)、LPWA又は第5世代移動通信システム(5G)である。また、通信ネットワークは、ローカルエリアネットワーク(LAN)、ワイドエリアネットワーク(WAN)、無線アクセスネットワーク(RAN)及びインターネットのうちの少なくとも一つを含む。 The network interface 25 is configured to connect the device 2 to a communication network. Specifically, the network interface 25 may include various wired connection terminals for communicating with an external device such as a server via a communication network. The network interface 25 may include various processing circuits and an antenna for communicating with a wireless router or a wireless base station. The wireless communication standard is, for example, Wi-Fi (registered trademark), Bluetooth (registered trademark), ZigBee (registered trademark), LPWA, or a fifth generation mobile communication system (5G). Further, the communication network includes at least one of a local area network (LAN), a wide area network (WAN), a radio access network (RAN), and the Internet.
 表示部26は、液晶ディスプレイ、有機ELディスプレイ等の表示装置であってもよいし、操作者の頭に装着される透過型又は非透過型のヘッドマウントディスプレイ等であってもよい。さらに、表示部26は、画像をスクリーン上に投影するプロジェクター装置であってもよい。 The display unit 26 may be a display device such as a liquid crystal display or an organic EL display, or may be a transmissive or non-transmissive head mounted display mounted on the operator's head. Further, the display unit 26 may be a projector device that projects an image on a screen.
 入力操作部27は、装置2を操作するユーザの入力操作を受付けると共に、当該入力操作に応じた指示信号を生成するように構成されている。入力操作部27は、例えば、表示部26上に重ねて配置されたタッチパネル、筐体に取り付けられた操作ボタン、マウス及び/又はキーボード等である。入力操作部27によって生成された指示信号がバス29を介して制御部20に送信された後、制御部20は、指示信号に応じて所定の動作を実行する。表示部26及び入力操作部27は、USB等の入出力インターフェースを介して装置2に接続されてもよい。 The input operation unit 27 is configured to receive an input operation of a user who operates the device 2 and generate an instruction signal corresponding to the input operation. The input operation unit 27 is, for example, a touch panel arranged on the display unit 26, operation buttons attached to a housing, a mouse and / or a keyboard, and the like. After the instruction signal generated by the input operation unit 27 is transmitted to the control unit 20 via the bus 29, the control unit 20 performs a predetermined operation according to the instruction signal. The display unit 26 and the input operation unit 27 may be connected to the device 2 via an input / output interface such as a USB.
 次に、図2を参照して本実施形態に係る情報処理方法について以下に説明する。図2は、装置2のIPアドレス(例えば、グローバルIPアドレス)を決定する処理の一例を説明するためのフローチャートである。図2に示すように、ステップS1において、装置2の制御部20は、乱数発生器を用いて装置2の秘密鍵を生成する。ここで、乱数発生器は、装置2のOSプログラムによって実現されてもよいし、装置2のハードウェア構成(論理回路等)として実現されてもよい。また、生成される秘密鍵のサイズは、例えば、512ビットである。 Next, an information processing method according to the present embodiment will be described below with reference to FIG. FIG. 2 is a flowchart illustrating an example of a process for determining an IP address (for example, a global IP address) of the device 2. As shown in FIG. 2, in step S1, the control unit 20 of the device 2 generates a secret key of the device 2 using a random number generator. Here, the random number generator may be realized by an OS program of the device 2 or may be realized as a hardware configuration (a logic circuit or the like) of the device 2. The size of the generated secret key is, for example, 512 bits.
 次に、制御部20は、ステップS2において、生成された秘密鍵と所定の暗号アルゴリズムに基づいて装置2の公開鍵を生成する。ここで、所定の暗号アルゴリズムは、例えば、楕円曲線暗号アルゴリズムである。また、生成される公開鍵のサイズは、例えば、256ビットである。 Next, in step S2, the control unit 20 generates a public key of the device 2 based on the generated secret key and a predetermined encryption algorithm. Here, the predetermined encryption algorithm is, for example, an elliptic curve encryption algorithm. The size of the generated public key is, for example, 256 bits.
 次に、制御部20は、ステップS3において、生成された公開鍵と所定のハッシュ関数とに基づいてハッシュ値を生成する。ここで、所定のハッシュ関数は、暗号学的ハッシュ関数であって、例えば、BLAKEが用いられる。また、生成されるハッシュ値のサイズは、例えば、256ビットである。 Next, in step S3, the control unit 20 generates a hash value based on the generated public key and a predetermined hash function. Here, the predetermined hash function is a cryptographic hash function, for example, BLAKE is used. The size of the generated hash value is, for example, 256 bits.
 尚、制御部20は、ステップS3において、生成された公開鍵と、所定の組織に関連付けられた値と、所定のハッシュ関数とに基づいてハッシュ値を生成してもよい。ここで、所定の組織に関連付けられた値の一例としては、所定の組織の商標に関連付けられた値である。例えば、所定の組織が商標X(例えば、“connectFree”)を使用している場合に、ハッシュ値を生成する際に商標Xの値が使用されてもよい。この場合、所定の組織以外の第3者が、所定の組織の許可なしに、本実施形態に係る情報処理方法を実行させるための情報処理プログラムを作成することが防止されうる。 The control unit 20 may generate a hash value based on the generated public key, a value associated with a predetermined organization, and a predetermined hash function in step S3. Here, an example of the value associated with the predetermined organization is a value associated with the trademark of the predetermined organization. For example, when a predetermined organization uses the trademark X (for example, “connectFree”), the value of the trademark X may be used when generating the hash value. In this case, it is possible to prevent a third party other than the predetermined organization from creating an information processing program for executing the information processing method according to the present embodiment without permission of the predetermined organization.
 次に、制御部20は、生成されたハッシュ値が16進数で表示されるハッシュ値のうちの先頭の2桁(先頭の1桁目及び2桁目)に関連付けられた条件を満たすかどうかを判定する(ステップS4)。この点において、ハッシュ値のサイズが256ビットの場合では、ハッシュ値は16進数の64桁で表示される。例えば、64桁で表示されたハッシュ値のうちの先頭の2桁が“FC”である(つまり、ハッシュ値=FC・・・)場合に、制御部20は、ハッシュ値がステップS4の判定条件を満たすと判定してもよい。ステップS4の判定条件がYESの場合には、本処理はステップS5に進む。一方、ステップS4の判定条件がNOである場合には、本処理はステップS1に進む。つまり、ステップS4の判定条件が満たされるまでステップS1~S3の処理が繰り返し実行される。 Next, the control unit 20 determines whether or not the generated hash value satisfies the condition associated with the first two digits (first and second digits) of the hash value displayed in hexadecimal. A determination is made (step S4). At this point, if the size of the hash value is 256 bits, the hash value is represented by 64 hexadecimal digits. For example, when the first two digits of the hash value represented by 64 digits are “FC” (that is, hash value = FC...), The control unit 20 determines that the hash value is equal to the determination condition in step S4. May be determined to be satisfied. If the determination condition in step S4 is YES, the process proceeds to step S5. On the other hand, if the determination condition in step S4 is NO, the process proceeds to step S1. That is, the processing of steps S1 to S3 is repeatedly performed until the determination condition of step S4 is satisfied.
 次に、制御部20は、ステップS5において、ハッシュ値が装置2の種類に関連付けられた条件を満たすかどうかを判定する(ステップS5)。この点において、16進数で表示されるIPアドレスの先頭から3桁目と4桁目の値に応じて当該IPアドレスに関連付けられた装置2の種類が特定できるものとする。例えば、IPアドレスの先頭から3桁目と4桁目の値と装置の種類が以下の関係を有するものとする。 
Figure JPOXMLDOC01-appb-T000001
 Next, in step S5, the control unit 20 determines whether the hash value satisfies a condition associated with the type of the device 2 (step S5). At this point, it is assumed that the type of the device 2 associated with the IP address can be specified according to the values of the third and fourth digits from the beginning of the IP address displayed in hexadecimal. For example, it is assumed that the values of the third and fourth digits from the head of the IP address and the type of the device have the following relationship.
Figure JPOXMLDOC01-appb-T000001
 ここで、16進数で表示されたハッシュ値の3桁目と4桁目の値が装置2の種類に対応するIPアドレスの先頭から3桁目と4桁目の値に一致する場合に、ステップS5の判定条件が満たされる。例えば、装置2の種類がパーソナルコンピュータであると仮定する。この場合、装置2のIPアドレスの先頭から3桁目と4桁目の値は“00”となるため、16進数で表示されたハッシュ値の先頭から3桁目と4桁目の値が“00”であれば(つまり、ハッシュ値=FC00・・・)、ステップS5の判定条件が満たされる。一方、ハッシュ値の先頭から3桁目と4桁目の値が“11”であれば(つまり、ハッシュ値=FC11・・・)、ステップS5の判定条件は満たされない。ステップS5の判定条件がYESの場合には、本処理はステップS6に進む。一方、ステップS5の判定条件がNOである場合には、本処理はステップS1に進む。つまり、ステップS5の判定条件が満たされるまでステップS1~S3の処理が繰り返し実行される。なお、ステップS5を省略する構成としてもよい。 Here, if the third and fourth digit values of the hash value represented by hexadecimal numbers match the third and fourth digit values from the beginning of the IP address corresponding to the type of the device 2, The determination condition of S5 is satisfied. For example, assume that the type of the device 2 is a personal computer. In this case, since the values of the third and fourth digits from the beginning of the IP address of the device 2 are “00”, the values of the third and fourth digits from the beginning of the hash value displayed in hexadecimal are “ If “00” (that is, hash value = FC00...), The determination condition of step S5 is satisfied. On the other hand, if the values of the third and fourth digits from the top of the hash value are “11” (that is, hash value = FC11...), The determination condition of step S5 is not satisfied. If the determination condition in step S5 is YES, the process proceeds to step S6. On the other hand, if the determination condition in step S5 is NO, the process proceeds to step S1. That is, the processing of steps S1 to S3 is repeatedly executed until the determination condition of step S5 is satisfied. Note that a configuration in which step S5 is omitted may be adopted.
 次に、制御部20は、ステップS4,S5の判定条件を満たしたハッシュ値に基づいて装置2のIPアドレスを決定する(ステップS6)。例えば、ハッシュ値のサイズが256ビットであって、IPv6に対応するIPアドレス(128ビット)が装置2のIPアドレスとして使用される場合、制御部20は、64桁のハッシュ値のうち前半の32桁のハッシュ値を装置2のIPアドレスとして決定してもよい。また、ハッシュ値のサイズが128ビットであって、IPv6に対応するIPアドレス(128ビット)が装置2のIPアドレスとして使用される場合、制御部20は、32桁のハッシュ値の全ての値を装置2のIPアドレスとして決定してもよい。さらに、ハッシュ値のサイズが256ビットであって、IPv4に対応するIPアドレス(32ビット)が装置2のIPアドレスとして使用される場合、制御部20は、64桁のハッシュ値のうち前半の8桁のハッシュ値を装置2のIPアドレスとして決定してもよい。 Next, the control unit 20 determines the IP address of the device 2 based on the hash value that satisfies the determination conditions of steps S4 and S5 (step S6). For example, when the size of the hash value is 256 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2, the control unit 20 sets the first half of the 64-digit hash value to 32 bits. The digit hash value may be determined as the IP address of the device 2. When the size of the hash value is 128 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2, the control unit 20 converts all values of the 32-digit hash value into The IP address of the device 2 may be determined. Furthermore, when the size of the hash value is 256 bits and the IP address (32 bits) corresponding to IPv4 is used as the IP address of the device 2, the control unit 20 sets the first half of the 64-digit hash value to 8 bits. The digit hash value may be determined as the IP address of the device 2.
 尚、ステップS6の処理の後に、決定された装置2のIPアドレスが他の装置のIPアドレスと重複しているかどうかを判定するステップが設けられてもよい。具体的には、ステップS6の処理の後に、装置2は、通信ネットワークを介して、IPアドレスを管理する管理サーバに装置2のIPアドレスに関する情報を送信する。管理サーバは、装置2から送信されたIPアドレスが自身の記憶装置に保存されたIPアドレス管理テーブルに含まれるIPアドレスの一つと重複するかどうかを判定する。ここで、装置2のIPアドレスがIPアドレス管理テーブルに含まれるIPアドレスの一つに重複する場合には、管理サーバは、IPアドレスの登録を拒絶する旨のメッセージを装置2に送信してもよい。この場合、装置2は、再度ステップS1からS6の処理を実行した後に再度決定されたIPアドレスに関する情報を管理サーバに送信する。一方、装置2のIPアドレスがIPアドレス管理テーブルに含まれるIPアドレスのいずれにも重複していない場合には、管理サーバは、IPアドレスの登録を許可する旨のメッセージを装置2に送信してもよい。 Note that after the process of step S6, a step of determining whether the determined IP address of the device 2 is the same as the IP address of another device may be provided. Specifically, after the processing in step S6, the device 2 transmits information on the IP address of the device 2 to the management server that manages the IP address via the communication network. The management server determines whether the IP address transmitted from the device 2 overlaps with one of the IP addresses included in the IP address management table stored in its own storage device. Here, if the IP address of the device 2 overlaps with one of the IP addresses included in the IP address management table, the management server may send a message to the device 2 to reject the registration of the IP address. Good. In this case, the device 2 transmits the information on the IP address determined again after executing the processing of steps S1 to S6 again to the management server. On the other hand, if the IP address of the device 2 does not overlap with any of the IP addresses included in the IP address management table, the management server transmits a message to the effect that the registration of the IP address is permitted to the device 2. Is also good.
 次に、ステップS7において、制御部20は、生成された公開鍵に関連付けられた電子証明書を所定の組織の認証局から取得する。すなわち、装置2のユーザは、公開鍵を認証局に登録すると共に、登録された公開鍵に関連した電子証明書を認証局から取得する。より具体的には、制御部20は、通信ネットワークを介して認証局のサーバに公開鍵と電子証明書の発行要求(証明書署名要求)を送信する。次に、認証局のサーバは、受信した電子証明書の発行要求に応じて、公開鍵を登録すると共に、当該公開鍵に関連付けられた電子証明書を発行する。その後、認証局のサーバは、通信ネットワークを介して電子証明書を装置2に送信する。 Next, in step S7, the control unit 20 obtains an electronic certificate associated with the generated public key from a certificate authority of a predetermined organization. That is, the user of the device 2 registers the public key with the certificate authority and obtains an electronic certificate related to the registered public key from the certificate authority. More specifically, the control unit 20 transmits a request for issuing a public key and an electronic certificate (certificate signature request) to a server of a certificate authority via a communication network. Next, the server of the certification authority registers the public key and issues an electronic certificate associated with the public key in response to the received request for issuing the electronic certificate. Then, the server of the certificate authority transmits the electronic certificate to the device 2 via the communication network.
 尚、所定の組織の認証局は、所定の組織の中間認証局であってもよい。また、公開鍵に関連した電子証明書を認証局から取得する際には所定の手数料の支払いが必要であってもよい。 Note that the certificate authority of the predetermined organization may be an intermediate certificate authority of the predetermined organization. Further, when acquiring an electronic certificate related to a public key from a certificate authority, payment of a predetermined fee may be required.
 本実施形態によれば、装置2の公開鍵に基づいて装置2に固有のIPアドレスが決定される。このように、装置2自身によって決定されたIPアドレスを用いて装置2をインターネット等の通信ネットワークに接続させることができる。特に、装置2は、ISP等のグローバルIPアドレスを管理するサービス事業者(サーバ)を介せずに、装置2自身によって決定されたIPアドレスを用いてインターネットに接続することができる。この点において、図3に示すように、装置2を操作するユーザUは、装置2自身によって決定されたIPアドレスを利用することで、無線LANルータ3を介して所定のルーティングによってインターネット4上のWEBサーバ6にアクセスすることができる。さらに、装置2は、プライベートIPアドレスを管理するサーバ(例えば、DHCPサーバ)を介せずに、装置2自身によって決定されたIPアドレスを用いて外部装置と直接通信することができる(詳細については後述する)。 According to the present embodiment, an IP address unique to the device 2 is determined based on the public key of the device 2. Thus, the device 2 can be connected to a communication network such as the Internet using the IP address determined by the device 2 itself. In particular, the device 2 can connect to the Internet using an IP address determined by the device 2 itself without using a service provider (server) that manages a global IP address such as an ISP. At this point, as shown in FIG. 3, the user U operating the device 2 uses the IP address determined by the device 2 itself to perform predetermined routing via the wireless LAN router 3 on the Internet 4. The web server 6 can be accessed. Further, the device 2 can directly communicate with an external device using an IP address determined by the device 2 itself without using a server (for example, a DHCP server) that manages a private IP address (for details, See below).
 したがって、インターネット等の通信ネットワークへの接続に対するユーザ体験又はユーザの利便性を向上させることが可能な情報処理方法及び装置2を提供することができる。 Therefore, it is possible to provide the information processing method and the information processing apparatus 2 capable of improving the user experience or the convenience of the user for connection to a communication network such as the Internet.
 また、本実施形態によれば、ステップS4,S5の条件を満たすハッシュ値を生成することができる。つまり、ステップS4,S5の条件を満たすハッシュ値に関連付けられたIPアドレスを生成することが可能となる。 According to the present embodiment, a hash value that satisfies the conditions of steps S4 and S5 can be generated. That is, it is possible to generate an IP address associated with a hash value that satisfies the conditions of steps S4 and S5.
 具体的には、16進数で表示されたハッシュ値のうちの先頭の2桁の値を固定値(例えば、ハッシュ値=FC・・・)にすることができる。つまり、IPアドレスの先頭の2桁の値を固定値(例えば、IPアドレス=FC・・・)にすることができる。このため、第三者は、装置2のIPアドレスが装置2自身によって決定されたIPアドレスであるかどうかを判別することができる。 Specifically, the first two digits of the hash value represented by the hexadecimal number can be a fixed value (for example, hash value = FC...). That is, the first two digits of the IP address can be set to a fixed value (for example, IP address = FC...). Therefore, a third party can determine whether the IP address of the device 2 is an IP address determined by the device 2 itself.
 さらに、本実施形態では、装置2の種類に応じたハッシュ値を生成することができる。つまり、装置2の種類に応じたIPアドレスを生成することができる。このため、第三者は、装置2のIPアドレスに基づいて装置2の種類を特定することができる。 {Furthermore, in the present embodiment, a hash value corresponding to the type of the device 2 can be generated. That is, an IP address corresponding to the type of the device 2 can be generated. Therefore, a third party can specify the type of the device 2 based on the IP address of the device 2.
 また、本実施形態では、ステップS4,S5の判定条件が満たされるまで繰り返しハッシュ値が生成されるので、ステップS4,S5の条件を満たすハッシュ値に関連付けられたIPアドレスを確実に生成することができる。 Further, in the present embodiment, since the hash value is repeatedly generated until the determination conditions of steps S4 and S5 are satisfied, it is possible to surely generate the IP address associated with the hash value satisfying the conditions of steps S4 and S5. it can.
 また、本実施形態によれば、電子証明書の取得を通じて公開鍵が認証局によって直接的に認証されると共に、公開鍵に基づいて決定されるIPアドレスも間接的に認証局によって認証される。このように、装置2は、認証局によって間接的に認証されたIPアドレスを用いてインターネット等の通信ネットワークに接続することができる。 According to the present embodiment, the public key is directly authenticated by the certificate authority through the acquisition of the electronic certificate, and the IP address determined based on the public key is also indirectly authenticated by the certificate authority. In this way, the device 2 can connect to a communication network such as the Internet using the IP address indirectly authenticated by the certificate authority.
 尚、本実施形態の説明では、装置2の乱数発生器を用いて装置2の秘密鍵が生成されるが、装置2の秘密鍵は、装置2に通信可能に接続された外部装置によって提供されてもよい。また、図2に示す各ステップの順番は特に限定されるものではない。例えば、ステップS7の処理の後にステップS6の処理が実行されてもよい。 In the description of the present embodiment, the secret key of the device 2 is generated using the random number generator of the device 2. The secret key of the device 2 is provided by an external device communicably connected to the device 2. You may. The order of each step shown in FIG. 2 is not particularly limited. For example, the process of step S6 may be performed after the process of step S7.
 また、公開鍵に関連付けられた電子証明書は、装置2の属性に関連する情報(属性情報)を含んでもよい。装置2の属性情報は、例えば、装置2のOSプログラムのバージョン情報及び装置2を構成するハードウェア(例えば、プロセッサや記憶装置等)のシリアル番号に関する情報のうちの少なくとも一つを含んでもよい。また、電子証明書に含まれた装置2の属性情報は、ハッシュ関数等によって暗号化されてもよい。この場合、装置2は、公開鍵及び電子証明書の発行要求(証明書署名要求)を送信する際に、装置2の属性情報を認証局のサーバに送信してもよい。このように、装置2の属性情報が電子証明書に含まれているため、装置2の要求に従って電子証明書が発行されたことが認証される。このため、装置2以外の他の装置が装置2の公開鍵と電子証明書を用いることが好適に防止される。 The electronic certificate associated with the public key may include information (attribute information) related to the attribute of the device 2. The attribute information of the device 2 may include, for example, at least one of version information of an OS program of the device 2 and information on a serial number of hardware (for example, a processor or a storage device) constituting the device 2. Further, the attribute information of the device 2 included in the electronic certificate may be encrypted by a hash function or the like. In this case, when transmitting the request for issuing the public key and the electronic certificate (certificate signature request), the device 2 may transmit the attribute information of the device 2 to the server of the certificate authority. As described above, since the attribute information of the device 2 is included in the electronic certificate, it is authenticated that the electronic certificate has been issued according to the request of the device 2. For this reason, it is suitably prevented that a device other than the device 2 uses the public key and the electronic certificate of the device 2.
 また、電子証明書は、装置2に関連付けられたユーザ(例えば、装置2を所有するユーザ)の属性情報を含んでもよい。例えば、ユーザの属性情報の一例としては、ユーザの氏名、識別番号、連絡先、年齢、性別、住所又はクレジットカード情報である。このように、ユーザの属性情報が電子証明書に含まれているため、当該ユーザ以外の第三者が装置2の公開鍵と電子証明書を用いることが好適に防止される。さらに、装置2がユーザの属性情報を含む電子証明書をWEBサーバに送信する場合には、WEBサーバは電子証明書に含まれるユーザ属性情報を確認することができる。このため、装置2のユーザは、ユーザ情報等を登録せずに、当該WEBサーバによって提供されるオンラインサービス(ECサイト等)を利用することができる。つまり、装置2のユーザは、各オンラインサービスのログイン情報(ログインIDとログインパスワード)を管理する手間から解放されうるため、ユーザにリッチなオンライン体験を提供することが可能となる。 The electronic certificate may also include attribute information of a user associated with the device 2 (for example, a user who owns the device 2). For example, an example of the user's attribute information is the user's name, identification number, contact information, age, gender, address, or credit card information. As described above, since the attribute information of the user is included in the electronic certificate, a third party other than the user is preferably prevented from using the public key of the apparatus 2 and the electronic certificate. Further, when the device 2 transmits an electronic certificate including user attribute information to the WEB server, the WEB server can check the user attribute information included in the electronic certificate. Therefore, the user of the device 2 can use an online service (such as an EC site) provided by the WEB server without registering the user information or the like. That is, the user of the device 2 can be released from the trouble of managing the login information (login ID and login password) of each online service, so that a rich online experience can be provided to the user.
 また、電子証明書に記載された装置2の属性情報及び/又はユーザの属性情報(以下、単に「属性情報」という場合がある。)のハッシュ値が電子証明書に含まれてもよい。当該ハッシュ値は、属性情報と暗号学的ハッシュ関数とに基づいて生成される。この場合、電子証明書に記載された属性情報が第三者によって改ざんされた場合には当該ハッシュ値が変化するため、ハッシュ値に基づいて属性情報の改ざんを検出することができる。例えば、装置2が電子証明書を外部装置に送信する場合、外部装置は電子証明書の属性情報のハッシュ値を演算することで、演算されたハッシュ値が電子証明書に示されるハッシュ値と一致するかどうかを判定する。ここで、演算されたハッシュ値が電子証明書に示されるハッシュ値と一致すれば、外部装置は電子証明書の属性情報が改ざんされていないと判定する。一方、両者が一致しなければ、外部装置は電子証明書の属性情報が改ざんされたと判定する。 (4) The hash value of the attribute information of the device 2 and / or the attribute information of the user (hereinafter, may be simply referred to as “attribute information”) described in the electronic certificate may be included in the electronic certificate. The hash value is generated based on the attribute information and the cryptographic hash function. In this case, if the attribute information described in the electronic certificate is falsified by a third party, the hash value changes, so that the falsification of the attribute information can be detected based on the hash value. For example, when the device 2 transmits an electronic certificate to an external device, the external device calculates the hash value of the attribute information of the electronic certificate so that the calculated hash value matches the hash value indicated in the electronic certificate. It is determined whether or not to do. Here, if the calculated hash value matches the hash value indicated in the digital certificate, the external device determines that the attribute information of the digital certificate has not been falsified. On the other hand, if the two do not match, the external device determines that the attribute information of the electronic certificate has been falsified.
 また、電子証明書に記載された全ての記載内容のハッシュ値が電子証明書に含まれてもよい。この場合も同様に、電子証明書に記載された一部の内容が第三者によって改ざんされた場合には、当該ハッシュ値が変化するため、ハッシュ値に基づいて電子証明書の記載内容が第三者によって改ざんされたことを検出することができる。 ハ ッ シ ュ Also, the hash value of all the contents described in the electronic certificate may be included in the electronic certificate. Similarly, in this case, if a part of the content described in the digital certificate is tampered with by a third party, the hash value changes, so the description content of the digital certificate is changed based on the hash value. It is possible to detect tampering by three parties.
 上述したように、電子証明書は、装置2の属性情報及び/又はユーザの属性情報を含んでいる。この場合、電子証明書に記載された全ての属性情報が外部装置に伝達されてもよいし、電子証明書に記載された一部の属性情報が外部装置に非伝達となっていてもよい。つまり、電子証明書に記載された一部の属性情報がハッシュ関数によってハッシュされてもよい。例えば、図8に示すように、ユーザは、装置2に対する入力操作を通じて、電子証明書8に記載されたユーザ属性情報40のうち住所及びクレジットカード情報等をハッシュすることができる。このように、装置2から電子証明書8を受信した外部装置は、電子証明書8に記載のユーザ属性情報40のうち住所及びクレジットカード情報を特定できない一方で、住所及びクレジットカード情報以外のユーザ属性情報40を特定することができる。 As described above, the electronic certificate includes the attribute information of the device 2 and / or the attribute information of the user. In this case, all the attribute information described in the electronic certificate may be transmitted to the external device, or some of the attribute information described in the electronic certificate may not be transmitted to the external device. That is, some attribute information described in the electronic certificate may be hashed by the hash function. For example, as shown in FIG. 8, the user can hash an address, credit card information, and the like in the user attribute information 40 described in the electronic certificate 8 through an input operation on the device 2. As described above, the external device that has received the electronic certificate 8 from the device 2 cannot specify the address and the credit card information in the user attribute information 40 described in the electronic certificate 8, but the user other than the address and the credit card information The attribute information 40 can be specified.
 また、図8に示すように、全ての属性情報が表示状態となっている場合の全ての属性情報のハッシュ値は、一部の属性情報が非表示(ハッシュ)状態となっている場合の全ての属性情報のハッシュ値と一致する。同様に、全ての属性情報が表示状態となっている場合の電子証明書に記載された全ての記載内容のハッシュ値は、一部の属性情報が非表示(ハッシュ)状態となっている場合の電子証明書に記載された全ての記載内容のハッシュ値と一致する。つまり、属性情報の一部がハッシュされていても全ての属性情報のハッシュ値又は電子証明書に記載された全ての記載内容のハッシュ値は変化しないため、ハッシュ値に基づいて、第三者による電子証明書の改ざんを容易に検出することができる。 Also, as shown in FIG. 8, the hash values of all the attribute information when all the attribute information are in the display state are all the hash values when some of the attribute information is in the non-display (hash) state. Matches the hash value of the attribute information. Similarly, the hash value of all the description contents described in the electronic certificate when all the attribute information is in the display state is the same as the hash value when some of the attribute information is in the non-display (hash) state. It matches the hash value of all the contents described in the electronic certificate. In other words, even if a part of the attribute information is hashed, the hash value of all the attribute information or the hash value of all the description contents described in the digital certificate does not change. Tampering with the electronic certificate can be easily detected.
 また、一部の属性情報の非表示(ハッシュ化)は、ユーザによって予め設定されてもよいし、外部装置からの要求に応じて変更可能であってもよい。尚、ハッシュ値と元の情報との間の関係を示すデータベースを参照することで、属性情報のハッシュ値に基づいて元の属性情報が把握されてしまう状況が想定される。かかる状況を防ぐために、所定の係数と元の属性情報とに基づいて元の属性情報がハッシュされてもよい。この場合、所定の係数は、定数であってもよいし、所定の情報(例えば、電子証明書の日付情報等)に基づいて変化する変数であってもよい。 (4) The non-display (hashing) of some attribute information may be set in advance by the user or may be changeable in response to a request from an external device. It is assumed that the original attribute information is grasped based on the hash value of the attribute information by referring to the database indicating the relationship between the hash value and the original information. In order to prevent such a situation, the original attribute information may be hashed based on a predetermined coefficient and the original attribute information. In this case, the predetermined coefficient may be a constant, or may be a variable that changes based on predetermined information (for example, date information of an electronic certificate).
 次に、図4及び図5を主に参照して本実施形態に係る情報処理システム30について以下に説明する。図4は、情報処理装置2A(以下、単に「装置2A」という。)と、情報処理装置2B(以下、単に「装置2B」という。)を含む情報処理システム30を示す図である。図5は、外部装置のIPアドレスを決定する処理の一例を説明するためのフローチャートである。 Next, the information processing system 30 according to the present embodiment will be described below mainly with reference to FIGS. FIG. 4 is a diagram illustrating an information processing system 30 including an information processing device 2A (hereinafter, simply referred to as “device 2A”) and an information processing device 2B (hereinafter, simply referred to as “device 2B”). FIG. 5 is a flowchart illustrating an example of a process for determining an IP address of an external device.
 尚、本実施形態の情報処理システム30では、説明を簡略化するために、互いに通信可能に接続される情報処理装置の数を2つとしているが、互いに通信可能に接続される情報処理装置の数は3つ以上であってもよい。また、装置2A,2Bの各々は、図1に示す装置2のハードウェア構成を有するものとする。 In the information processing system 30 of the present embodiment, for simplicity of description, the number of information processing devices that are communicably connected to each other is two. The number may be three or more. Each of the devices 2A and 2B has the hardware configuration of the device 2 shown in FIG.
 さらに、装置2A,2Bの各々は、図2に示すIPアドレスを決定する処理を既に実行しているものとする。即ち、装置2Aは、装置2AのIPアドレスを決定する処理を既に実行しているものとする。このため、装置2Aは、図4に示すように、装置2AのIPアドレスに関連付けられた公開鍵7Aを既に生成していると共に、公開鍵7Aに関連付けられた電子証明書8Aを認証局から既に取得しているものとする。同様に、装置2Bは、装置2BのIPアドレスを決定する処理を既に実行しているものとする。このため、装置2Bは、図4に示すように、装置2BのIPアドレスに関連付けられた公開鍵7Bを既に生成していると共に、公開鍵7Bに関連付けられた電子証明書8Bを認証局から既に取得しているものとする。 {Furthermore, it is assumed that each of the devices 2A and 2B has already executed the processing for determining the IP address shown in FIG. That is, it is assumed that the device 2A has already executed the process of determining the IP address of the device 2A. Therefore, as shown in FIG. 4, the device 2A has already generated the public key 7A associated with the IP address of the device 2A, and has already issued the electronic certificate 8A associated with the public key 7A from the certificate authority. It is assumed that it has been acquired. Similarly, it is assumed that the device 2B has already executed the process of determining the IP address of the device 2B. Therefore, as shown in FIG. 4, the device 2B has already generated the public key 7B associated with the IP address of the device 2B, and has already issued the digital certificate 8B associated with the public key 7B from the certificate authority. It is assumed that it has been acquired.
 図5に示すように、ステップS10において、装置2A(具体的には、装置2Aの制御部20)は、装置2Aの外部に向けて公開鍵7Aと公開鍵7Aに関連付けられた電子証明書8Aを送信(ブロードキャスト)する。その後、装置2Aの付近に存在する装置2Bは、装置2Aからブロードキャストされた公開鍵7Aと電子証明書8Aを受信する。また、ステップS11において、装置2B(具体的には、装置2Bの制御部20)は、装置2Bの外部に向けて公開鍵7Bと公開鍵7Bに関連付けられた電子証明書8Bを送信(ブロードキャスト)する。その後、装置2Aは、装置2Bからブロードキャストされた公開鍵7Bと電子証明書8Bを受信する。尚、ステップS11の処理は、ステップS10の処理と同時に実行されてもよいし、ステップS10の処理よりも前に実行されてもよい。 As shown in FIG. 5, in step S10, the device 2A (specifically, the control unit 20 of the device 2A) sends a public key 7A and an electronic certificate 8A associated with the public key 7A to the outside of the device 2A. (Broadcast). Thereafter, the device 2B existing near the device 2A receives the public key 7A and the electronic certificate 8A broadcast from the device 2A. In step S11, the device 2B (specifically, the control unit 20 of the device 2B) transmits (broadcasts) the public key 7B and the electronic certificate 8B associated with the public key 7B to the outside of the device 2B. I do. Thereafter, the device 2A receives the public key 7B and the electronic certificate 8B broadcast from the device 2B. Note that the process of step S11 may be performed simultaneously with the process of step S10, or may be performed before the process of step S10.
 次に、ステップS12において、装置2Bは、装置2Aからブロードキャストされた電子証明書8Aが正当であるかどうかを判定する。ここで、図6を参照して電子証明書8Aの正当性を判定する処理(つまり、ステップS12の処理)について以下に説明する。 Next, in step S12, the device 2B determines whether the digital certificate 8A broadcast from the device 2A is valid. Here, the process of determining the validity of the electronic certificate 8A (that is, the process of step S12) will be described below with reference to FIG.
 図6に示すように、ステップS20において、装置2Bは、電子証明書8Aの完全性を判定する。具体的には、装置2Bは、電子証明書8Aの所有者情報、電子証明書8Aの発行者情報及び発行者のデジタル署名を確認する。次に、ステップS21において、装置2Bは、電子証明書8Aの有効期限を判定する。その後、ステップS22において、装置2Bは、電子証明書8Aの発行元の信頼性を判定する。特に、電子証明書8Aを発行した認証局が中間認証局である場合、装置2Bは、電子証明書8Aを発行した中間認証局のルート認証局を特定すると共に、当該特定されたルート認証局が信頼できるかどうかを判定する。例えば、当該特定されたルート認証局が装置2Bのメモリに保存された複数のルート認証局に関する情報に含まれている場合には、電子証明書8Aの発行元が信頼できると判定する。 As shown in FIG. 6, in step S20, the device 2B determines the integrity of the electronic certificate 8A. Specifically, the device 2B checks the owner information of the electronic certificate 8A, the issuer information of the electronic certificate 8A, and the digital signature of the issuer. Next, in step S21, the device 2B determines the expiration date of the electronic certificate 8A. Thereafter, in step S22, the device 2B determines the reliability of the issuer of the electronic certificate 8A. In particular, when the certificate authority that has issued the digital certificate 8A is an intermediate certificate authority, the device 2B specifies the root certificate authority of the intermediate certificate authority that has issued the digital certificate 8A, and determines that the specified root certificate authority is Determine if you can trust. For example, if the specified root certificate authority is included in the information on a plurality of root certificate authorities stored in the memory of the device 2B, it is determined that the issuer of the electronic certificate 8A is reliable.
 図5に戻ると、装置2Bは、電子証明書8Aが正当であると判定すると、公開鍵7Aと所定のハッシュ関数とに基づいてハッシュ値を生成する(ステップS13)。ここで、所定のハッシュ関数は、既に説明したように、BLAKE等の暗号学的ハッシュ関数である。また、本実施形態では、装置2Bが使用するハッシュ関数と装置2Aが使用するハッシュ関数は同一であるものとする。 Returning to FIG. 5, when determining that the electronic certificate 8A is valid, the device 2B generates a hash value based on the public key 7A and a predetermined hash function (step S13). Here, the predetermined hash function is a cryptographic hash function such as BLAKE as described above. Further, in the present embodiment, it is assumed that the hash function used by the device 2B and the hash function used by the device 2A are the same.
 次に、ステップS14において、装置2Bは、生成されたハッシュ値に基づいて装置2AのIPアドレスを決定する。例えば、既に説明したように、ハッシュ値のサイズが256ビットであって、IPv6に対応するIPアドレス(128ビット)が装置2AのIPアドレスとして使用される場合、装置2Bは、64桁のハッシュ値のうち前半の32桁のハッシュ値を装置2AのIPアドレスとして決定してもよい。 Next, in step S14, the device 2B determines the IP address of the device 2A based on the generated hash value. For example, as described above, when the size of the hash value is 256 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2A, the device 2B generates the 64-digit hash value. Of the first half may be determined as the IP address of the device 2A.
 一方、装置2Aは、ステップS15において、装置2Bからブロードキャストされた電子証明書8Bが正当であるかどうかを判定する。ステップS15の具体的な処理の内容は、図6に示したとおりである。次に、装置2Aは、電子証明書8Bが正当であると判定すると、公開鍵7Bと所定のハッシュ関数とに基づいてハッシュ値を生成する(ステップS16)。また、既に説明したように、装置2Aが使用するハッシュ関数は、装置2Bが使用するハッシュ関数と同一のものである。 On the other hand, in step S15, the device 2A determines whether the electronic certificate 8B broadcast from the device 2B is valid. The specific contents of the processing in step S15 are as shown in FIG. Next, when determining that the electronic certificate 8B is valid, the device 2A generates a hash value based on the public key 7B and a predetermined hash function (Step S16). Further, as described above, the hash function used by the device 2A is the same as the hash function used by the device 2B.
 その後、ステップS17において、装置2Aは、生成されたハッシュ値に基づいて装置2BのIPアドレスを決定する。ステップS14の処理と同様に、ハッシュ値のサイズが256ビットであって、IPv6に対応するIPアドレス(128ビット)が装置2BのIPアドレスとして使用される場合、装置2Aは、64桁のハッシュ値のうち前半の32桁のハッシュ値を装置2BのIPアドレスとして決定してもよい。 Thereafter, in step S17, the device 2A determines the IP address of the device 2B based on the generated hash value. Similarly to the processing in step S14, when the size of the hash value is 256 bits and the IP address (128 bits) corresponding to IPv6 is used as the IP address of the device 2B, the device 2A uses the 64-digit hash value. May be determined as the IP address of the device 2B.
 このように、装置2Aは、装置2A,2BのIPアドレスを知ることができると共に、装置2Bは、装置2A,2BのIPアドレスを知ることができる。したがって、装置2A,2BはIPアドレスを管理するサーバを介せずに互いに直接接続されうる(つまり、サーバを介さない装置2A,2Bとの間のP2P通信が実現されうる)。特に、バーチャルプライベートネットワーク(VPN)サーバを中継して装置2A,2Bを接続する必要がないため、装置2A,2B間の直接接続において必要とされる消費電力が大幅に低減されうる。また、3以上の装置間を直接接続する際にもVPNサーバを中継する必要がないため、3以上の装置間の直接接続において必要とされる消費電力が大幅に低減されうる。 As described above, the device 2A can know the IP addresses of the devices 2A and 2B, and the device 2B can know the IP addresses of the devices 2A and 2B. Therefore, the devices 2A and 2B can be directly connected to each other without using a server that manages an IP address (that is, P2P communication with the devices 2A and 2B without a server can be realized). In particular, since there is no need to connect the devices 2A and 2B via a virtual private network (VPN) server, the power consumption required for direct connection between the devices 2A and 2B can be significantly reduced. Also, even when three or more devices are directly connected, there is no need to relay a VPN server, so that the power consumption required for the direct connection between three or more devices can be significantly reduced.
 例えば、装置2Aはメールサーバ等を介さずに装置2Bにメッセージを送信することができるため、装置2Aのメッセージが第三者(例えば、サーバ管理者等)に把握される状況を回避することが可能となる。さらに、装置2Aは、VPNサーバを介さずに装置2Aのスクリーン画面を示す画像データを装置2Bに送信することができる。一方で、装置2Bは、VPNサーバを介さずに装置2Aのスクリーン画面を操作するための操作信号を装置2Aに送信することができる。このように、装置2Bのユーザは、装置2Aをリモート操作することが可能となる。また、装置2Aと装置2Bは、ファイル交換サーバを介さずに電子ファイルを互いに共有することができる。このため、共有される電子ファイルが第三者に把握される状況を回避することが可能できる。 For example, since the device 2A can transmit a message to the device 2B without passing through a mail server or the like, it is possible to avoid a situation where the message of the device 2A is grasped by a third party (for example, a server administrator or the like). It becomes possible. Further, the device 2A can transmit image data indicating the screen screen of the device 2A to the device 2B without going through the VPN server. On the other hand, the device 2B can transmit an operation signal for operating the screen screen of the device 2A to the device 2A without going through the VPN server. Thus, the user of the device 2B can remotely operate the device 2A. Further, the device 2A and the device 2B can share an electronic file with each other without going through a file exchange server. Therefore, it is possible to avoid a situation where the shared electronic file is grasped by a third party.
 また、装置2Aが装置2Bにメッセージを送信する場合(又は、装置2Bが装置2Aにメッセージを送信する場合)には、送信メッセージ(送信パケット)は暗号化されてもよい。例えば、送信メッセージは、装置2Aの公開鍵7Aと装置2Bの公開鍵7Bに基づいて生成される共通鍵によって暗号化されてもよい。また、装置2Aと装置2Bとのセッションが確立される度に当該共通鍵は変更されてもよい。このように、装置2Aと装置2Bとの間のセキュアな通信を実現することが可能となる。 When the device 2A transmits a message to the device 2B (or when the device 2B transmits a message to the device 2A), the transmission message (transmission packet) may be encrypted. For example, the transmission message may be encrypted with a common key generated based on the public key 7A of the device 2A and the public key 7B of the device 2B. Further, the common key may be changed each time a session between the device 2A and the device 2B is established. Thus, it is possible to realize secure communication between the device 2A and the device 2B.
 また、本実施形態によれば、外部装置から送信された電子証明書が正当であると判定された場合に、外部装置の公開鍵に基づいて外部装置のハッシュ値が生成される。その後、外部装置のハッシュ値に基づいて外部装置のIPアドレスが決定される(ここで、装置2Aから見た場合では装置2Bが外部装置となる一方で、装置2Bから見た場合には装置2Aが外部装置となる。)。このように、装置2Aは、受信した公開鍵7Bが装置2Bの公開鍵であることを確認することができる。さらに、装置2Aは、公開鍵7Bに基づいて生成されたIPアドレスが装置2BのIPアドレスであることを確認することができる。したがって、装置2Aは、装置2BのIPアドレスを確実に取得することができると共に、装置2BのIPアドレスを用いて装置2Bと確実に通信することが可能となる。 According to the present embodiment, when the electronic certificate transmitted from the external device is determined to be valid, the hash value of the external device is generated based on the public key of the external device. Thereafter, the IP address of the external device is determined based on the hash value of the external device (here, the device 2B is an external device when viewed from the device 2A, while the device 2A is determined when viewed from the device 2B). Is an external device.). In this manner, the device 2A can confirm that the received public key 7B is the public key of the device 2B. Further, the device 2A can confirm that the IP address generated based on the public key 7B is the IP address of the device 2B. Therefore, the device 2A can reliably acquire the IP address of the device 2B, and can reliably communicate with the device 2B using the IP address of the device 2B.
 一方、装置2Bは、受信した公開鍵7Aが装置2Aの公開鍵であることを確認することができる。さらに、装置2Bは、公開鍵7Aに基づいて生成されたIPアドレスが装置2AのIPアドレスであることを確認することができる。したがって、装置2Bは、装置2AのIPアドレスを確実に取得することができると共に、装置2AのIPアドレスを用いて装置2Aと確実に通信することができる。 On the other hand, the device 2B can confirm that the received public key 7A is the public key of the device 2A. Further, the device 2B can confirm that the IP address generated based on the public key 7A is the IP address of the device 2A. Therefore, the device 2B can reliably acquire the IP address of the device 2A and can reliably communicate with the device 2A using the IP address of the device 2A.
 また、上記したように、本実施形態に係る情報処理システムは3つ以上の情報処理装置を有してもよい。例えば、図7に示すように、情報処理システム30Aが4つの情報処理装置2A~2D(以下、単に「装置2A~2D」という。)を有する場合を想定する。ここで、装置2A~2Dの各々は図1に示す装置2のハードウェア構成を有するものとする。この場合、装置2A~2Dの各々は、図5に示す装置2A又は装置2Bによって実行される各処理を実行する。 As described above, the information processing system according to the present embodiment may include three or more information processing devices. For example, as shown in FIG. 7, it is assumed that the information processing system 30A has four information processing devices 2A to 2D (hereinafter, simply referred to as “devices 2A to 2D”). Here, each of the devices 2A to 2D has the hardware configuration of the device 2 shown in FIG. In this case, each of the devices 2A to 2D executes each processing executed by the device 2A or 2B shown in FIG.
 この点において、装置2Aは、外部に向けて装置2Aの公開鍵と電子証明書をブロードキャストすると共に、装置2Aの付近に存在する装置2B~2Dの各々から公開鍵と電子証明書を受信する。装置2Bは、外部に向けて装置2Bの公開鍵と電子証明書をブロードキャストする共に、装置2A,2C,2Dの各々から公開鍵と電子証明書を受信する。装置2Cは、外部に向けて装置2Cの公開鍵と電子証明書をブロードキャストすると共に、装置2A,2B,2Dの各々から公開鍵と電子証明書を受信する。装置2Dは、外部に向けて装置2Dの公開鍵と電子証明書をブロードキャストすると共に、装置2A~2Cの各々から公開鍵と電子証明書を受信する。 At this point, the device 2A broadcasts the public key and the electronic certificate of the device 2A to the outside, and receives the public key and the electronic certificate from each of the devices 2B to 2D existing near the device 2A. The device 2B broadcasts the public key and the electronic certificate of the device 2B to the outside, and receives the public key and the electronic certificate from each of the devices 2A, 2C, and 2D. The device 2C broadcasts the public key and the electronic certificate of the device 2C to the outside, and receives the public key and the electronic certificate from each of the devices 2A, 2B, and 2D. The device 2D broadcasts the public key and the electronic certificate of the device 2D to the outside, and receives the public key and the electronic certificate from each of the devices 2A to 2C.
 その後、装置2Aは、装置2B~装置2DのIPアドレスを決定する。装置2Bは、装置2A,2C,2DのIPアドレスを決定する。装置2Cは、装置2A,2B,2DのIPアドレスを決定する。装置2Dは、装置2A~2CのIPアドレスを決定する。このように、装置2A~2Dの各々は、装置2A~2DのIPアドレスを用いて3つの外部装置と直接接続されうる。換言すれば、装置2A~2Dによってメッシュネットワークが構成されうる。また、装置2A~2Dの接続には通信ネットワークにおける所定のルーティングを介してもよい。装置2A~2Dは最適な経路を形成して互いに接続されうる。 (4) Thereafter, the device 2A determines the IP addresses of the devices 2B to 2D. The device 2B determines the IP addresses of the devices 2A, 2C, and 2D. The device 2C determines the IP addresses of the devices 2A, 2B, and 2D. The device 2D determines the IP addresses of the devices 2A to 2C. Thus, each of the devices 2A-2D can be directly connected to three external devices using the IP addresses of the devices 2A-2D. In other words, a mesh network can be configured by the devices 2A to 2D. Further, the connection of the devices 2A to 2D may be through a predetermined routing in a communication network. The devices 2A to 2D can be connected to each other to form an optimal path.
 また、図7に示す情報処理システム30Aでは、装置2A~2Dの各々が同一のハッシュ関数を用いるため、装置2A~2Dによってメッシュネットワークが構成されているが、本実施形態はこれに限定されるものではない。 Further, in the information processing system 30A shown in FIG. 7, since each of the devices 2A to 2D uses the same hash function, a mesh network is configured by the devices 2A to 2D, but the present embodiment is not limited to this. Not something.
 例えば、装置2A,2Bが第1ハッシュ関数を用いる一方で、装置2C,2Dが第1ハッシュ関数とは異なる第2ハッシュ関数を用いてもよい。この場合、装置2A,2Bが互いに通信可能に接続されると共に、装置2C,2Dが互いに通信可能に接続される。一方で、装置2A,2Bは、装置2C,2Dとは通信可能に接続されない。このように、異なる2つのハッシュ関数を用いることで情報処理システム30A内において2つの通信ネットワークグループを構築することができる。 For example, while the devices 2A and 2B use the first hash function, the devices 2C and 2D may use a second hash function different from the first hash function. In this case, the devices 2A and 2B are communicably connected to each other, and the devices 2C and 2D are communicably connected to each other. On the other hand, the devices 2A and 2B are not communicably connected to the devices 2C and 2D. Thus, two communication network groups can be constructed in the information processing system 30A by using two different hash functions.
 また、本実施形態に係る装置2をソフトウェアによって実現するためには、情報処理プログラムが記憶装置23又はROMに予め組み込まれていてもよい。或いは、情報処理プログラムは、磁気ディスク(例えば、HDD、フロッピーディスク)、光ディスク(例えば、CD-ROM,DVD-ROM、Blu-ray(登録商標)ディスク)、光磁気ディスク(例えば、MO)、フラッシュメモリ(例えば、SDカード、USBメモリ、SSD)等のコンピュータ読取可能な記憶媒体に格納されていてもよい。この場合、コンピュータ読取可能な記憶媒体に格納された情報処理プログラムが記憶装置23に組み込まれてもよい。さらに、記憶装置23に組み込まれた当該情報処理プログラムがRAM上にロードされた上で、プロセッサがRAM上にロードされた当該情報処理プログラムを実行してもよい。このように、本実施形態に係る情報処理方法が装置2によって実行される。 In order to implement the device 2 according to the present embodiment by software, an information processing program may be pre-installed in the storage device 23 or the ROM. Alternatively, the information processing program includes a magnetic disk (for example, HDD, floppy disk), an optical disk (for example, CD-ROM, DVD-ROM, Blu-ray (registered trademark) disk), a magneto-optical disk (for example, MO), and a flash. It may be stored in a computer-readable storage medium such as a memory (for example, an SD card, a USB memory, or an SSD). In this case, an information processing program stored in a computer-readable storage medium may be incorporated in the storage device 23. Further, after the information processing program incorporated in the storage device 23 is loaded on the RAM, the processor may execute the information processing program loaded on the RAM. Thus, the information processing method according to the present embodiment is executed by the device 2.
 また、情報処理プログラムは、インターネット等の通信ネットワーク上のサーバの記憶媒体(例えば、HDD)に格納されてもよい。この場合、情報処理プログラムは、当該サーバからネットワークインターフェース25を介してダウンロードされてもよい。この場合も同様に、ダウンロードされた当該情報処理プログラムが記憶装置23に組み込まれてもよい。 The information processing program may be stored in a storage medium (for example, HDD) of a server on a communication network such as the Internet. In this case, the information processing program may be downloaded from the server via the network interface 25. In this case, similarly, the downloaded information processing program may be incorporated in the storage device 23.
 また、本実施形態に係る情報処理プログラム(情報処理方法)は、OSI(Open Systems Interconnection)参照モデルにおけるネットワーク層によって実行される。このため、OSI参照モデルのトランスポート層、セッション層、プレゼンテーション層及びアプリケーション層においてセキュアな通信を実現できると共に、既存のアプリケーションプログラム及び物理インフラがそのまま適用可能となる。 The information processing program (information processing method) according to the present embodiment is executed by a network layer in an OSI (Open \ Systems \ Interconnection) reference model. Therefore, secure communication can be realized in the transport layer, session layer, presentation layer, and application layer of the OSI reference model, and the existing application programs and physical infrastructure can be applied as they are.
 以上、本発明の実施形態について説明をしたが、本発明の技術的範囲が本実施形態の説明によって限定的に解釈されるべきではない。本実施形態は一例であって、特許請求の範囲に記載された発明の範囲内において、様々な実施形態の変更が可能であることが当業者によって理解されるところである。本発明の技術的範囲は特許請求の範囲に記載された発明の範囲及びその均等の範囲に基づいて定められるべきである。 Although the embodiments of the present invention have been described above, the technical scope of the present invention should not be construed as being limited by the description of the embodiments. This embodiment is an example, and it will be understood by those skilled in the art that various embodiments can be modified within the scope of the invention described in the claims. The technical scope of the present invention should be determined based on the scope of the invention described in the claims and the equivalents thereof.
 例えば、図2に示すステップS7の処理において、装置2は、複数の組織の認証局から装置2の公開鍵に関連付けられた電子証明書を取得してもよい。また、電子証明書は、認証局の組織の属性に関連した情報を含んでもよい。例えば、電子証明書が組織Xの認証局から発行された場合には、電子証明書は組織Xの属性に関連した情報を含んでもよい。 For example, in the process of step S7 shown in FIG. 2, the device 2 may acquire an electronic certificate associated with the public key of the device 2 from certificate authorities of a plurality of organizations. Further, the electronic certificate may include information related to the attribute of the organization of the certificate authority. For example, when the electronic certificate is issued from the certificate authority of organization X, the electronic certificate may include information related to the attribute of organization X.
 また、図4に示すように、装置2Aは、複数の別々の組織の認証局から複数の電子証明書8Aを取得すると共に、装置2Bは、複数の別々の組織の認証局から複数の電子証明書8Bを取得するものとする。この場合、装置2Aは、ステップS10において、公開鍵7Aと複数の電子証明書8Aを装置2Bに送信する。また、装置2Bは、ステップS11において、公開鍵7Bと複数の電子証明書8Bを装置2Aに送信する。さらに、装置2Bは、ステップS12において、複数の電子証明書8Aの各々が正当であるかどうかを判定した後に、複数の電子証明書8Aを発行した複数の認証局の組織のうちの少なくとも一つが装置2Bのメモリに保存された複数の認証局の組織を示す組織リストに含まれるかどうかを判定してもよい。具体的には、装置2Bは、電子証明書8Aに含まれる組織の属性に関連した情報と組織リストに基づいて、複数の電子証明書8Aを発行した複数の認証局の組織のうちの少なくとも一つが組織リストに含まれるかどうかを判定してもよい。装置2Bは、複数の電子証明書8Aを発行した複数の認証局の組織のうちの少なくとも一つが組織リストに含まれる場合に、ステップS13,S14の処理を実行してもよい。 As shown in FIG. 4, the device 2A obtains a plurality of digital certificates 8A from certificate authorities of a plurality of different organizations, and the device 2B obtains a plurality of digital certificates from certificate authorities of a plurality of different organizations. Letter 8B is obtained. In this case, the device 2A transmits the public key 7A and the plurality of digital certificates 8A to the device 2B in step S10. Further, the device 2B transmits the public key 7B and the plurality of digital certificates 8B to the device 2A in step S11. Further, in step S12, after determining whether each of the plurality of digital certificates 8A is valid, at step S12, at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8A determines It may be determined whether it is included in the organization list indicating the organizations of the plurality of certificate authorities stored in the memory of the device 2B. Specifically, the device 2B determines at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8A based on information related to the attribute of the organization included in the digital certificate 8A and the organization list. It may be determined whether or not one is included in the organization list. The device 2B may execute the processing of steps S13 and S14 when at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8A is included in the organization list.
 同様に、装置2Aは、ステップS15において、複数の電子証明書8Bの各々が正当であるかどうかを判定した後に、複数の電子証明書8Bを発行した複数の認証局の組織のうちの少なくとも一つが装置2Aのメモリに保存された複数の組織を示す組織リストに含まれるかどうかを判定してもよい。具体的には、装置2Aは、電子証明書8Bに含まれる組織の属性に関連した情報と組織リストに基づいて、複数の電子証明書8Bを発行した複数の認証局の組織のうちの少なくとも一つが組織リストに含まれるかどうかを判定してもよい。装置2Aは、複数の電子証明書8Bを発行した複数の組織のうちの少なくとも一つが組織リストに含まれる場合に、ステップS16,S17の処理を実行してもよい。 Similarly, the device 2A determines in step S15 whether each of the plurality of digital certificates 8B is valid, and then determines at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8B. It may be determined whether or not one is included in the organization list indicating a plurality of organizations stored in the memory of the device 2A. Specifically, the device 2A determines at least one of the organizations of the plurality of certificate authorities that issued the plurality of digital certificates 8B based on the information related to the attribute of the organization included in the electronic certificate 8B and the organization list. It may be determined whether one is included in the organization list. The device 2A may execute the processing of steps S16 and S17 when at least one of the plurality of organizations that issued the plurality of digital certificates 8B is included in the organization list.
 このように、公開鍵7Aの電子証明書を発行した組織が装置2Bに保存された組織リストに含まれると共に、公開鍵7Bの電子証明書を発行した組織が装置2Aに保存された組織リストに含まれる場合に、装置2Aと装置2Bは互いに直接的に接続されうる。つまり、電子証明書を発行した組織に関連した条件に応じて通信相手を選択することができると共に、情報処理システム内において複数の通信ネットワークグループを構築することが可能となる。 As described above, the organization that has issued the electronic certificate of the public key 7A is included in the organization list stored in the device 2B, and the organization that has issued the electronic certificate of the public key 7B is included in the organization list stored in the device 2A. If included, device 2A and device 2B may be directly connected to each other. That is, it is possible to select a communication partner according to the condition related to the organization that has issued the electronic certificate, and to construct a plurality of communication network groups in the information processing system.
 また、上記例では、装置2A,2Bは複数の電子証明書を取得しているが、装置2A,2Bが一つの電子証明書を取得する場合でも、電子証明書を発行した組織に関連した判定条件に関連する処理が適用されてもよい。例えば、装置2Aの電子証明書を発行した認証局の組織と装置2Bの電子証明書を発行した認証局の組織が互いに異なる場合に、ステップS13,S14の処理(ステップS16,S17)の処理が実行されなくてもよい。 Further, in the above example, the devices 2A and 2B have acquired a plurality of digital certificates. However, even when the devices 2A and 2B have acquired a single digital certificate, the determination related to the organization that issued the digital certificate has been performed. Processing related to the condition may be applied. For example, when the organization of the certificate authority that issued the digital certificate of the device 2A and the organization of the certificate authority that issued the digital certificate of the device 2B are different from each other, the processes of steps S13 and S14 (steps S16 and S17) are not performed. It need not be executed.
 尚、本実施形態では、装置2A,2Bのネットワークアドレスの一例としてインターネットプロトコルに対応したネットワークアドレスであるIPアドレスについて説明しているが、ネットワークアドレスはIPアドレスに限定されるものではない。例えば、装置2A,2Bのネットワークアドレスは、インターネットプロトコル以外の所定の通信プロトコルに対応したネットワークアドレスであってもよい。 In the present embodiment, an IP address that is a network address compatible with the Internet protocol is described as an example of the network address of the devices 2A and 2B, but the network address is not limited to the IP address. For example, the network addresses of the devices 2A and 2B may be network addresses corresponding to a predetermined communication protocol other than the Internet protocol.
 本出願は、2018年9月5日に出願された日本国特許出願(特願2018-166429号)に開示された内容を適宜援用する。 In this application, the contents disclosed in Japanese Patent Application No. 2018-166429 filed on September 5, 2018 are appropriately incorporated.

Claims (26)

  1.  装置のプロセッサによって実行される情報処理方法であって、
     前記装置の秘密鍵に基づいて前記装置の公開鍵を生成するステップと、
     前記公開鍵と所定のハッシュ関数に基づいてハッシュ値を生成するステップと、
     前記ハッシュ値に基づいて前記装置のネットワークアドレスを決定するステップと、
    を含む、情報処理方法。     An information processing method executed by a processor of the device,
    Generating a public key of the device based on a secret key of the device;
    Generating a hash value based on the public key and a predetermined hash function;
    Determining a network address of the device based on the hash value;
    An information processing method, including:
  2.  前記秘密鍵を生成するステップをさらに含む、請求項1に記載の情報処理方法。 2. The information processing method according to claim 1, further comprising: generating the secret key.
  3.  前記装置の外部に存在する外部装置に前記公開鍵を送信するステップをさらに含む、請求項1又は2に記載の情報処理方法。 The information processing method according to claim 1 or 2, further comprising: transmitting the public key to an external device existing outside the device.
  4.  前記ハッシュ値が所定の条件を満たすかどうか判定するステップをさらに含み、
     前記ハッシュ値が前記所定の条件を満たす場合に、前記ハッシュ値に基づいて前記ネットワークアドレスが決定される、請求項1から3のうちいずれか一項に記載の情報処理方法。     Determining whether the hash value satisfies a predetermined condition,
    The information processing method according to any one of claims 1 to 3, wherein the network address is determined based on the hash value when the hash value satisfies the predetermined condition.
  5.  前記秘密鍵を生成するステップをさらに含み、
     前記ハッシュ値が前記所定の条件を満たさない場合に、前記ハッシュ値が前記所定の条件を満たすまで前記秘密鍵を生成するステップと、前記公開鍵を生成するステップと、前記ハッシュ値を生成するステップが繰り返し実行される、請求項4に記載の情報処理方法。     Generating the secret key,
    When the hash value does not satisfy the predetermined condition, generating the secret key until the hash value satisfies the predetermined condition; generating the public key; and generating the hash value. 5. The information processing method according to claim 4, wherein is repeatedly executed.
  6.  前記所定の条件は、前記ハッシュ値のうちの先頭の2桁の値に関連付けられた条件を含む、請求項4又は5に記載の情報処理方法。 6. The information processing method according to claim 4, wherein the predetermined condition includes a condition associated with a leading two-digit value of the hash value. 7.
  7.  前記所定の条件は、前記装置の種類に関連付けられた条件を含む、請求項4から6のうちいずれか一項に記載の情報処理方法。 7. The information processing method according to claim 4, wherein the predetermined condition includes a condition associated with the type of the device.
  8.  前記ハッシュ値を生成するステップは、
     前記公開鍵と、所定の組織に関連付けられた値と、前記所定のハッシュ関数に基づいて前記ハッシュ値を生成するステップを含む、請求項1から7のうちいずれか一項に記載の情報処理方法。     The step of generating the hash value includes:
    The information processing method according to claim 1, further comprising: generating the hash value based on the public key, a value associated with a predetermined organization, and the predetermined hash function. .
  9.  前記所定の組織に関連付けられた値は、前記所定の組織の商標に関連付けられた値である、請求項8に記載の情報処理方法。 The information processing method according to claim 8, wherein the value associated with the predetermined organization is a value associated with a trademark of the predetermined organization.
  10.  前記公開鍵に関連付けられた電子証明書を認証局から取得するステップをさらに含む、請求項1から9のうちいずれか一項に記載の情報処理方法。 10. The information processing method according to claim 1, further comprising: acquiring an electronic certificate associated with the public key from a certificate authority. 10.
  11.  前記装置の外部に存在する外部装置に前記公開鍵と前記電子証明書を送信するステップとをさらに含む、請求項10に記載の情報処理方法。 The information processing method according to claim 10, further comprising: transmitting the public key and the electronic certificate to an external device existing outside the device.
  12.  前記電子証明書は、前記装置の属性に関連する属性情報を含む、請求項10又は11に記載の情報処理方法。 12. The information processing method according to claim 10, wherein the electronic certificate includes attribute information relating to an attribute of the device.
  13.  前記電子証明書は、前記装置に関連付けられたユーザの属性情報を含む、請求項10又は11に記載の情報処理方法。 12. The information processing method according to claim 10, wherein the electronic certificate includes attribute information of a user associated with the device.
  14.  前記電子証明書は、
     前記装置及び/又は前記装置に関連付けられたユーザの属性情報と、
     前記属性情報の全体のハッシュ値と、
    を含む、請求項10又は11に記載の情報処理方法。     The electronic certificate is
    Attribute information of the device and / or a user associated with the device;
    A hash value of the entire attribute information;
    The information processing method according to claim 10, comprising:
  15.  前記属性情報の一部がハッシュされている、請求項14に記載の情報処理方法。 15. The information processing method according to claim 14, wherein a part of the attribute information is hashed.
  16.  前記属性情報の一部と所定の係数とに基づいて、前記属性情報の一部がハッシュされている、請求項15に記載の情報処理方法。 16. The information processing method according to claim 15, wherein a part of the attribute information is hashed based on a part of the attribute information and a predetermined coefficient.
  17.  前記装置の外部に存在する外部装置から前記外部装置の公開鍵を受信するステップと、
     前記外部装置の公開鍵と前記所定のハッシュ関数に基づいて前記外部装置のハッシュ値を生成するステップと、
     前記外部装置のハッシュ値に基づいて前記外部装置のネットワークアドレスを決定するステップと、をさらに含む、請求項1から16うちいずれか一項に記載の情報処理方法。     Receiving a public key of the external device from an external device existing outside the device,
    Generating a hash value of the external device based on the public key of the external device and the predetermined hash function;
    17. The information processing method according to claim 1, further comprising: determining a network address of the external device based on a hash value of the external device.
  18.  前記外部装置の公開鍵を受信するステップは、
     前記外部装置の公開鍵と当該公開鍵に関連付けられた電子証明書を受信するステップを含み、
     前記情報処理方法は、前記電子証明書が正当であるかどうかを判定するステップをさらに含み、
     前記電子証明書が正当であると判定された場合に、前記外部装置の公開鍵に基づいて前記外部装置のハッシュ値が生成される、請求項17に記載の情報処理方法。     Receiving the public key of the external device,
    Including receiving a public key of the external device and an electronic certificate associated with the public key,
    The information processing method further includes a step of determining whether the digital certificate is valid,
    18. The information processing method according to claim 17, wherein when the electronic certificate is determined to be valid, a hash value of the external device is generated based on a public key of the external device.
  19.  装置のプロセッサによって実行される情報処理方法であって、
     前記装置の公開鍵に基づいて前記装置のネットワークアドレスを決定するステップを含む、
    情報処理方法。     An information processing method executed by a processor of the device,
    Determining a network address of the device based on a public key of the device,
    Information processing method.
  20.  ネットワークアドレスを管理するサーバを介せずに、前記装置のネットワークアドレスを用いた通信を実行するステップをさらに含む、請求項1から19のうちいずれか一項に記載の情報処理方法。 20. The information processing method according to claim 1, further comprising: performing communication using the network address of the device without using a server that manages the network address.
  21.  OSI参照モデルのネットワーク層において前記情報処理方法が実行される、請求項1から20のうちいずれか一項に記載の情報処理方法。 21. The information processing method according to claim 1, wherein the information processing method is executed in a network layer of an OSI reference model.
  22.  請求項1から21のうちのいずれか一項に記載の情報処理方法をコンピュータに実行させるための情報処理プログラム。 An information processing program for causing a computer to execute the information processing method according to any one of claims 1 to 21.
  23.  請求項22に記載の情報処理プログラムが保存されたコンピュータ読取可能な記憶媒体。 A computer-readable storage medium storing the information processing program according to claim 22.
  24.  少なくとも一つのプロセッサと、
     コンピュータ可読命令を記憶するメモリと、を備えた情報処理装置であって、
     前記コンピュータ可読命令が前記プロセッサにより実行されると、前記情報処理装置は、請求項1から23のうちいずれか一項に記載の前記情報処理方法を実行するように構成されている、情報処理装置。     At least one processor,
    A memory for storing computer readable instructions, and an information processing apparatus comprising:
    The information processing apparatus, wherein the information processing apparatus is configured to execute the information processing method according to any one of claims 1 to 23 when the computer readable instruction is executed by the processor. .
  25.  第1装置と前記第1装置に通信可能に接続される第2装置とを含む情報処理システムであって、
     前記第1装置は、
     前記第1装置の第1秘密鍵に基づいて前記第1装置の第1公開鍵を生成し、
     前記第1公開鍵と所定のハッシュ関数に基づいて第1ハッシュ値を生成し、
     前記第1ハッシュ値に基づいて前記第1装置の第1のネットワークアドレスを決定し、
     前記第1公開鍵を前記第2装置に送信し、
     前記第2装置は、
     前記第2装置の第2秘密鍵に基づいて前記2装置の第2公開鍵を生成し、
     前記第2公開鍵と前記所定のハッシュ関数に基づいて第2ハッシュ値を生成し、
     前記第2ハッシュ値に基づいて前記第2装置の第2のネットワークアドレスを決定し、
     前記第2公開鍵を前記第1装置に送信し、
     前記第1装置は、
     前記第2装置から前記第2公開鍵を受信し、
     前記第2公開鍵と前記所定のハッシュ関数に基づいて前記第2ハッシュ値を生成し、
     前記第2ハッシュ値に基づいて前記第2のネットワークアドレスを決定し、
     前記第2装置は、
     前記第1装置から前記第1公開鍵を受信し、
     前記第1公開鍵と前記所定のハッシュ関数に基づいて前記第1ハッシュ値を生成し、
     前記第1ハッシュ値に基づいて前記第1のネットワークアドレスを決定する、
    情報処理システム。     An information processing system including a first device and a second device communicably connected to the first device,
    The first device comprises:
    Generating a first public key of the first device based on a first secret key of the first device;
    Generating a first hash value based on the first public key and a predetermined hash function;
    Determining a first network address of the first device based on the first hash value;
    Transmitting the first public key to the second device;
    The second device includes:
    Generating a second public key of the second device based on a second secret key of the second device;
    Generating a second hash value based on the second public key and the predetermined hash function;
    Determining a second network address of the second device based on the second hash value;
    Transmitting the second public key to the first device;
    The first device comprises:
    Receiving the second public key from the second device;
    Generating the second hash value based on the second public key and the predetermined hash function;
    Determining the second network address based on the second hash value;
    The second device includes:
    Receiving the first public key from the first device;
    Generating the first hash value based on the first public key and the predetermined hash function;
    Determining the first network address based on the first hash value;
    Information processing system.
  26.  前記第1装置は、
     認証局に前記第1公開鍵を送信し、
     前記認証局から前記第1公開鍵に関連付けられた第1電子証明書を取得し、
     前記第1電子証明書と前記第1公開鍵を前記第2装置に送信し、
     前記第2装置は、
     前記認証局又は別の認証局に前記第2公開鍵を送信し、
     前記認証局又は前記別の認証局から前記第2公開鍵に関連付けられた第2電子証明書を取得し、
     前記第2電子証明書と前記第2公開鍵を前記第1装置に送信し、
     前記第1装置は、
     前記第2装置から前記第2公開鍵及び前記第2電子証明書を受信し、
     前記第2電子証明書が正当であるかどうかを判定し、
     前記第2装置は、
     前記第1装置から前記第1公開鍵及び前記第1電子証明書を受信し、
     前記第1電子証明書が正当であるかどうかを判定する、
    請求項25に記載の情報処理システム。     The first device comprises:
    Sending the first public key to a certificate authority,
    Obtaining a first digital certificate associated with the first public key from the certificate authority;
    Transmitting the first digital certificate and the first public key to the second device,
    The second device includes:
    Transmitting the second public key to the certificate authority or another certificate authority,
    Obtaining a second digital certificate associated with the second public key from the certificate authority or the another certificate authority,
    Transmitting the second digital certificate and the second public key to the first device;
    The first device comprises:
    Receiving the second public key and the second digital certificate from the second device;
    Determining whether the second digital certificate is valid,
    The second device includes:
    Receiving the first public key and the first digital certificate from the first device;
    Determining whether the first digital certificate is valid,
    An information processing system according to claim 25.
PCT/JP2019/005681 2018-09-05 2019-02-15 Information processing method, information processing program, information processing apparatus, and information processing system WO2020049754A1 (en)

Priority Applications (7)

Application Number Priority Date Filing Date Title
JP2020540994A JP7054559B2 (en) 2018-09-05 2019-02-15 Information processing method, information processing program, information processing device and information processing system
US17/273,611 US11902454B2 (en) 2018-09-05 2019-02-15 Information processing method, information processing program, information processing apparatus, and information processing system
EP19857922.9A EP3849131A4 (en) 2018-09-05 2019-02-15 Information processing method, information processing program, information processing apparatus, and information processing system
TW108132097A TWI802749B (en) 2018-09-05 2019-09-05 Information processing method, information processing program, information processing device and information processing system
TW112114414A TW202347986A (en) 2018-09-05 2019-09-05 Information processing method, information processing program, information processing apparatus, and information processing system
JP2021189977A JP2022031777A (en) 2018-09-05 2021-11-24 Information processing method, information processing program, information processing device, and information processing system
US18/393,835 US20240129137A1 (en) 2018-09-05 2023-12-22 Information processing method, information processing program, information processing apparatus, and information processing system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-166429 2018-09-05
JP2018166429 2018-09-05

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US17/273,611 A-371-Of-International US11902454B2 (en) 2018-09-05 2019-02-15 Information processing method, information processing program, information processing apparatus, and information processing system
US18/393,835 Continuation US20240129137A1 (en) 2018-09-05 2023-12-22 Information processing method, information processing program, information processing apparatus, and information processing system

Publications (1)

Publication Number Publication Date
WO2020049754A1 true WO2020049754A1 (en) 2020-03-12

Family

ID=69722520

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/005681 WO2020049754A1 (en) 2018-09-05 2019-02-15 Information processing method, information processing program, information processing apparatus, and information processing system

Country Status (5)

Country Link
US (2) US11902454B2 (en)
EP (1) EP3849131A4 (en)
JP (4) JP7054559B2 (en)
TW (2) TWI802749B (en)
WO (1) WO2020049754A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022134280A (en) * 2021-03-03 2022-09-15 Kddi株式会社 Authentication system
WO2024058095A1 (en) * 2022-09-12 2024-03-21 コネクトフリー株式会社 Network system, information processing device, and communication method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022552420A (en) * 2019-10-18 2022-12-15 ティービーシーエーソフト,インコーポレイテッド Distributed ledger based method and system for certificate authentication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003501878A (en) * 1999-05-27 2003-01-14 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Method and apparatus for securely generating a public key-private key pair
JP2003216571A (en) * 2002-01-24 2003-07-31 Ntt Docomo Inc Information transmitting and receiving system, information transmitting and receiving method, information transmitting and receiving program, and computer readable recording medium
US20070061574A1 (en) * 2001-04-12 2007-03-15 Microsoft Corporation Methods and Systems for Unilateral Authentication of Messages
JP2016515328A (en) 2013-02-25 2016-05-26 クアルコム,インコーポレイテッド Establishing Internet of Things (IoT) device groups and enabling communication between IoT device groups
JP2018166429A (en) 2017-03-29 2018-11-01 理研ビタミン株式会社 Quality improver for instant noodles

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6802002B1 (en) 2000-01-14 2004-10-05 Hewlett-Packard Development Company, L.P. Method and apparatus for providing field confidentiality in digital certificates
US7624264B2 (en) 2003-03-27 2009-11-24 Microsoft Corporation Using time to determine a hash extension
JP2005051734A (en) 2003-07-15 2005-02-24 Hitachi Ltd Electronic document authenticity assurance method and electronic document disclosure system
JP2006254403A (en) 2005-02-14 2006-09-21 Nippon Telegr & Teleph Corp <Ntt> Signature information protective method and system thereof
JP4594962B2 (en) * 2007-06-04 2010-12-08 株式会社日立製作所 Verification server, program, and verification method
EP2394418A1 (en) 2009-02-05 2011-12-14 Telefonaktiebolaget LM Ericsson (publ) Host identity protocol server address configuration
US9325509B2 (en) * 2011-07-15 2016-04-26 Hitachi, Ltd. Determination method for cryptographic algorithm used for signature, validation server and program
US10015017B2 (en) * 2015-04-09 2018-07-03 Qualcomm Incorporated Proof of work based user identification system
CN107924437A (en) * 2015-06-17 2018-04-17 瑞典爱立信有限公司 Method and associated wireless devices and server for the security provisions for making it possible to realize voucher
US11025407B2 (en) 2015-12-04 2021-06-01 Verisign, Inc. Hash-based digital signatures for hierarchical internet public key infrastructure
US10581841B2 (en) * 2017-02-13 2020-03-03 Zentel Japan Corporation Authenticated network
US11979392B2 (en) * 2017-07-17 2024-05-07 Comcast Cable Communications, Llc Systems and methods for managing device association
US10728361B2 (en) * 2018-05-29 2020-07-28 Cisco Technology, Inc. System for association of customer information across subscribers

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003501878A (en) * 1999-05-27 2003-01-14 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Method and apparatus for securely generating a public key-private key pair
US20070061574A1 (en) * 2001-04-12 2007-03-15 Microsoft Corporation Methods and Systems for Unilateral Authentication of Messages
JP2003216571A (en) * 2002-01-24 2003-07-31 Ntt Docomo Inc Information transmitting and receiving system, information transmitting and receiving method, information transmitting and receiving program, and computer readable recording medium
JP2016515328A (en) 2013-02-25 2016-05-26 クアルコム,インコーポレイテッド Establishing Internet of Things (IoT) device groups and enabling communication between IoT device groups
JP2018166429A (en) 2017-03-29 2018-11-01 理研ビタミン株式会社 Quality improver for instant noodles

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Report on Investigation of Current State of Identity Verification Technology", 1 March 2003 (2003-03-01), pages 1 - 288, XP055783284, Retrieved from the Internet <URL:http://www.ipa.go.jp/security/fy14/reports/authentication/authentication2002.pdf> [retrieved on 20120817] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022134280A (en) * 2021-03-03 2022-09-15 Kddi株式会社 Authentication system
JP7412377B2 (en) 2021-03-03 2024-01-12 Kddi株式会社 Authentication system
WO2024058095A1 (en) * 2022-09-12 2024-03-21 コネクトフリー株式会社 Network system, information processing device, and communication method

Also Published As

Publication number Publication date
TW202027449A (en) 2020-07-16
US20210392001A1 (en) 2021-12-16
JP2022031777A (en) 2022-02-22
JPWO2020049754A1 (en) 2021-08-12
US11902454B2 (en) 2024-02-13
JP7054559B2 (en) 2022-04-14
JP2023106509A (en) 2023-08-01
EP3849131A4 (en) 2022-05-11
JP7536346B2 (en) 2024-08-20
EP3849131A1 (en) 2021-07-14
US20240129137A1 (en) 2024-04-18
TW202347986A (en) 2023-12-01
JP2024149592A (en) 2024-10-18
TWI802749B (en) 2023-05-21

Similar Documents

Publication Publication Date Title
JP7536346B2 (en) COMMUNICATION SYSTEM, COMMUNICATION DEVICE, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
CN114556865A (en) Electronic device and method for managing block chain address by using same
WO2015111221A1 (en) Device certificate provision apparatus, device certificate provision system, and device certificate provision program
US20240314563A1 (en) Data transmission method, communication processing method, device, and communication processing program
JP2015194879A (en) Authentication system, method, and provision device
JP2011082923A (en) Terminal device, signature producing server, simple id management system, simple id management method, and program
JP6447949B1 (en) Authentication system, authentication server, authentication method, and authentication program
US11962575B2 (en) Data transmission method, communication processing method, device, and communication processing program
US20220141002A1 (en) Data transmission method, communication processing method, device, and communication processing program
US20220377550A1 (en) Secure and trusted peer-to-peer offline communication systems and methods
JP2019004289A (en) Information processing apparatus, control method of the same, and information processing system
US9882891B2 (en) Identity verification
JP6542722B2 (en) Device list creating system and device list creating method
TWI822923B (en) Information communication methods, information communication systems, and methods of licensing services

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19857922

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020540994

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019857922

Country of ref document: EP

Effective date: 20210406